Solved

Query for User logon times

Posted on 2010-09-02
4
454 Views
Last Modified: 2012-06-27
Hello Experts,

Our legal department has asked for information on each time a user logged on during a specific period of time.  I can get the last time they logged on, but they'd like to see if the user logged in on several specific dates?  Is there even a way to do this?  I have researched but have not been able to find anything.

For reference all servers are Win2k3.  Desktop clients are XP.

Thanks for any insight.

Rick
0
Comment
Question by:DTSC-OEIM
4 Comments
 
LVL 3

Assisted Solution

by:tonyszko
tonyszko earned 75 total points
ID: 33591451
If you have not gathered security logs from domain controllers or workstations from this period there is no way to tell what You are asking for. If You have event logs you can process themto extract logon events.
0
 
LVL 65

Assisted Solution

by:RobSampson
RobSampson earned 75 total points
ID: 33591763
In my environment we pre-emted this scenario, and I have in place a script that will record each user logon and logoff to a text file on the server.  This gave us that history from when I put the script in place.  Otherwise checking your security logs on the DCs is the only other way.

Rob.
0
 
LVL 5

Accepted Solution

by:
rov17 earned 100 total points
ID: 33593267
Hi ,
We using the below VB script to audit users logs on, assign the script as a log in to all users
Hope that helps


On Error Resume Next

strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")

Set colItems = objWMIService.ExecQuery("Select * from Win32_BIOS",,48)
For Each objItem in colItems
    SerialNumber = trim(objItem.SerialNumber)
Next

Dim Manufacturer 
Dim Model 
Dim MachineName  
Dim SerialNumber 
Set colItems = objWMIService.ExecQuery("Select * from Win32_ComputerSystem",,48)
For Each objItem in colItems
	Manufacturer = Trim(objItem.Manufacturer) ' manufacturer
    Model = trim(objItem.Model)		' pc model
    MachineName  = trim(objItem.Name)		' computer netbios name

Next

Dim TotalVisibleMemory 
Dim OperatingSystemAndServicePack 
Set colItems = objWMIService.ExecQuery("Select * from Win32_OperatingSystem",,48)
For Each objItem In colItems
   cOSs = objItem.Name
   pos = InStr(1, cOsS,"|",1)
   cOS1 = left(cOSs,pos-1)
   OperatingSystemAndServicePack =  cOS1 & " " & objItem.CSDVersion
   'TotalVisibleMemory = objItem.TotalVisibleMemorySize
   TotalVisibleMemory = FormatNumber(objItem.TotalVisibleMemorySize/1024,0) + " MEG" 
Next


Dim ProcessorAndClockSpeed 
Set colItems = objWMIService.ExecQuery("Select * from Win32_Processor",,48)
For Each objItem in colItems
ProcessorAndClockSpeed= trim(objItem.Name) & " /" & objItem.CurrentClockSpeed & " MHz"
Next

Dim UserName
set oNet = CreateObject("WScript.Network") 
UserName = oNet.UserName

set wshShell1=Wscript.CreateObject("Wscript.Shell")
set logonserver= WshShell1.ExpandEnvironmentStrings("%logonserver%")




UpdateList UserName,MachineName,Manufacturer,Model,SerialNumber,ProcessorAndClockSpeed,TotalVisibleMemory,OperatingSystemAndServicePack,Width,Height,WshShell1.ExpandEnvironmentStrings("%logonserver%")


Function UpdateList(UserName,MachineName,Manufacturer,Model,SerialNumber,ProcessorAndClockSpeed,TotalVisibleMemory,OperatingSystemAndServicePack,Width,Height,logonserver)
	Dim filename
	filename = "\\share\Logon.csv"
	Const Appending = 8
	Const a = """" ' used at begginging & end
	Const b = """,""" ' used everywhere else.
	Set fso = CreateObject("Scripting.FileSystemObject")
	Set f = fso.OpenTextFile(filename, Appending, False)
	f.WriteLine(a &UserName& b & MachineName & b & Manufacturer& b & Model& b & SerialNumber& b & ProcessorAndClockSpeed& b & TotalVisibleMemory& b & OperatingSystemAndServicePack& b & Width& b & Height& b & logonserver& b &Now()& a)
	f.Close

end Function

Function ScreenResolution()
Set oIE = CreateObject("InternetExplorer.Application")
With oIE
.Navigate("about:blank")
Do Until .readyState = 4: wscript.sleep 100: Loop
width = .document.ParentWindow.screen.width
height = .document.ParentWindow.screen.height
End With
oIE.Quit
ScreenResolution = array(width,height)
End Function

Open in new window

0
 

Author Closing Comment

by:DTSC-OEIM
ID: 33596706
Thanks all, this is more or less what I told them.  Our logs don't go back as far as they want to check, so it's "out of luck" for them.  Thanks Rov17 for the script.  Points for everyone.
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
If you need to start windows update installation remotely or as a scheduled task you will find this very helpful.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question