Solved

SBS 2008

Posted on 2011-03-09
3
247 Views
Last Modified: 2012-06-22
I am curious if there is a way to monitor when a user signs in with their username and if there is a way on monitor this when they use OWA as well.

Thanks
0
Comment
Question by:iFrog
  • 2
3 Comments
 
LVL 9

Expert Comment

by:TBK-Consulting
Comment Utility
The security log on the domain controller logs every login attempt and the userid used as well as date/time ... Event ID 672 is a successful logon event you could do some log monitoring of some sort and pull these events to see who logged in and when and from where as well ...
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
Comment Utility
You can enable detailed auditing and within the configuration, you can configure the systems and successful and/or failed events you wish to audit. Following articles outline how to enable and analyze the results:
http://support.microsoft.com/kb/814595/
http://www.windowsecurity.com/articles/Understanding_Windows_Logging.html
http://207.46.19.60/technet/prodtechnol/windows2000serv/maintain/monitor/logevnts.mspx

However using auditing can be time consuming to filter and extract.

Another option is to add the lines below to each users logon and log off script to create a log file. It would give you UserName, ComputerName, date and time, in a simple single line, followed by the IP from which they connected, if needed. If you wish to know logoff times as well, you can add the same lines to a log off script in group policy (if you don't already have one: User Configuration | Windows settings | Scripts | Logoff). You likely won’t need the last line (IP address) in the log off script. I don't think this will log OWA access.

As written below it will create the log/text file in \\Server\Logs\LogOns.Log and the entries will look like:
Log File

Log On:  jdoe SERVER1  Tue 1/1/2007   9:01
  TCP    10.0.1.100:3389        66.66.123.123:1234        ESTABLISHED

Log Off: jdoe SERVER1  Tue 1/1/2007   9:31

Log On:  jsmith SERVER2  Tue 1/1/2007   11:00
  TCP    10.0.1.200:3389        66.66.123.124:1234        ESTABLISHED

Log Off: jsmith SERVER1  Tue 1/1/2007   11:30
---------------------------------------------------------------------------

:Logging
If Exist "\\Server\Logs\LogOns.Log" GoTo START
Echo Log File > "\\Server\Logs\LogOns.Log"
:START
Echo. >> "\\Server\Logs\LogOns.Log"
Echo Log On:  %USERNAME% %COMPUTERNAME%  %Date:~0,16%  %Time:~0,5% >> "\\Server\Logs\LogOns.Log"
netstat  -an  |find  "3389"  |find  /I  "established"  >> "\\Server\Logs\LogOns.Log"

---------------------------------------------------------------------------
Note the users will need to have read/write and execute permissions for the \\Server\Logs\LogOns.Log  file.
0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 500 total points
Comment Utility
There is some logging for RWW and OWA in C:\Program Files\Windows Small Business Server\Logs\WebWorkplace\w3p3.log  but doesn't really indicate the user for OWA, it does for RWW.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

The SBS 2011 release date (RTM) is supposed to be around Christmas, 2011.  This article is a compilation of my notes -- things I have learned first hand.  The items are in a rather random order, but I think this list covers most of what is new and d…
You may have discovered the 'Compatibility View Settings' workaround for making your SBS 2008 Remote Web Workplace 'connect to a computer' section stops 'working around' after a Windows 10 client upgrade.  That can be fixed so it 'works around' agai…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now