Solved

Track RWW users?

Posted on 2011-03-22
7
783 Views
Last Modified: 2012-06-21
I am running SBS08 and need a way to track RWW log on's and log off's.  Anyone out there have a solution to do this?
0
Comment
Question by:wdabbs
  • 4
  • 2
7 Comments
 
LVL 95

Assisted Solution

by:Lee W, MVP
Lee W, MVP earned 100 total points
Comment Utility
Tracking log ons should be easy enough - you can use web logs or Event Logs.  Tracking log offs is another story.  The RWW session will time-out but things like Remote Desktop Sessions can remain open.
0
 

Author Comment

by:wdabbs
Comment Utility
Look for a bit more granular information, such as user who is logging in and when
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 400 total points
Comment Utility
The RWW logging is done in the following log:
C:\Program Files\Windows Small Business Server\Logs\WebWorkplace\w3wp.log
It will take a while to parse the necessary information.

I have used logon and log off scripts to document terminal server users. The same can be used for RWW sessions but it would log every connection by a user to any PC whether local or remote so it will get lengthy. It will show the IP from which they connected so you determinermin if it was local or RWW. In the case of RWW rather than terminal services, I think it will show the SBS IP rather than the actual remote IP.

Add the lines below to each users logon and log off script to create a log file. It would give you UserName, ComputerName, date and time, in a simple single line, followed by the IP from which they connected, if needed. If you wish to know logoff times as well, you can add the same lines to a log off script in group policy (if you don't already have one: User Configuration | Windows settings | Scripts | Logoff). You likely won’t need the last line (IP address) in the log off script.

As written below it will create the log/text file in \\Server\Logs\LogOns.Log and the entries will look like:
Log File

Log On:  jdoe SERVER1  Tue 1/1/2007   9:01
  TCP    10.0.1.100:3389        66.66.123.123:1234        ESTABLISHED

Log Off: jdoe SERVER1  Tue 1/1/2007   9:31

Log On:  jsmith SERVER2  Tue 1/1/2007   11:00
  TCP    10.0.1.200:3389        66.66.123.124:1234        ESTABLISHED

Log Off: jsmith SERVER1  Tue 1/1/2007   11:30
---------------------------------------------------------------------------

:Logging
If Exist "\\Server\Logs\LogOns.Log" GoTo START
Echo Log File > "\\Server\Logs\LogOns.Log"
:START
Echo. >> "\\Server\Logs\LogOns.Log"
Echo Log On:  %USERNAME% %COMPUTERNAME%  %Date:~0,16%  %Time:~0,5% >> "\\Server\Logs\LogOns.Log"
netstat  -an  |find  "3389"  |find  /I  "established"  >> "\\Server\Logs\LogOns.Log"

---------------------------------------------------------------------------
Note the users will need to have read/write and execute permissions for the \\Server\Logs\LogOns.Log  file.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
I don't understand why you are deleting the question when you received a viable answer. Though it may not be exactly what you were looking for, some sort of reply might have allowed us to assist further.
It is frustrating for the "experts", who volunteer their time, to take the time to try to carefully answer a question and then have the author delete it out of lack of interest.
--Rob
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Thank you wdabbs. Please let us know if we can help further with the reporting.
Cheers!
--Rob
0
 

Author Comment

by:wdabbs
Comment Utility
Sorry, I am not the one from this company who posted this question and it looks to have been abandoned, I could not post a new question with this one still out here so I tried deleting it. I am sorry if that bummed you out. Since I can't find out who authored this question to begin with, I'll go ahead and accept your solution and we can move forward. All of us here appreciate the work you all do and you have put us on the right track many times
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Thanks for explaining wdabbs, I appreciate your circumstances.
We all understand that happens, juts post a note to that effect in future and then delete or close. Even a "that won't work" is fine. Sorry to be a whiner :-)
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Ever wondered why Windows 8 and 10 don't seem to accept your GPO-based software deployment while Windows 7 does? Read on.
Email signature management is something that is often overlooked in many organizations or is simply not implemented effectively. Let's take a look at what methods are available for managing this important piece of corporate branding.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now