Viewing Log in and off in AD on SBS08

Posted on 2011-04-24
Last Modified: 2012-05-11
I have a request from a client to see when certain users are logging in and off, he thinks his employees are taking advantage of him. Can you please tell me how to check log on and off times per user? Thanks
Question by:troyt93955
    LVL 4

    Accepted Solution

    You'll need to enable account Logon events using Group Policy, then you can check the security events on the DC or the isers PC.
    To make things easier you can use a progrem like eventscmb to consolidate the logs.

    The events comb tool has handy if you have many DC's, its part of the account lockout tools available here:

    To download the EventCombMT utility, visit the following Microsoft Web site:
    LVL 12

    Assisted Solution

    There's no central way to do this - the logon timestamps stored in AD apply to the account. Any logon of the account (not just via a workstation) is recorded.

    Honestly, the best approaches to this issue is having the user login to an application (or web app) that records the login/logout times. Some products run at a user's login or logoff and do this in the background, but I've personally never seen one that worked well enough even in a somewhat medium-sized environment.

    It is possible to, via WMI or other methods, to query each computer and find the last login for a particular user (or the last login for all users on the PC), but it requires all the PCs to be online and connectable, and a user may have logged into more than 1 PC. It's not really a reliable solution, but I wanted to note it.
    LVL 12

    Expert Comment

    That can work for an ad-hoc check to grab all logins. Then you could put that data into a spreadsheet or database and filter on the person you are checking. However, putting the data into a form that can be used for checking the logon at any workstation (or any specified auth source) would take some effort. Those events are designed to be used for auditing purposes, not regular tracking of users.
    LVL 5

    Assisted Solution

    You can write a simple logon and logoff script and apply it to those users.

    I did it once for a simliar request the script just updated a text file shared on a network with the username and Time.

    The CEO used to read the file himself and it was easy.

    LVL 12

    Expert Comment

    Good idea. That works fine for a basic check (assuming the computer is connectable to the share at the logon). However, logon scripts run under the context of the logged in user, so the user can just go into the file and edit it himself or view other user's info. For a very small company, that's usually acceptable (but make sure they know the risk!). I do enterprise solutions, which this would not be allowed.
    LVL 5

    Expert Comment

    Yes you may be right :), if you are looking for something robust you will need to rely on the eventlog.
    LVL 10

    Assisted Solution

    by:Muzafar Momin

    Author Comment

    I tried to do the account audits, the problem I ran in to is it displays N/A under the user column.
    I need specific users. I like the idea of the logon script. I am going to try this today. I will keep you posted. Thanks for your help

    Author Comment

    Should I name the file with .bat or .vbs?

    Author Comment

    Ok... so I used the following script provided from above and copied here. When I named file as .vbs it would bring up that the user is being audited, dont want that. So I renamed it as .bat eveything seemd to work okay. However, when I went to go look at the log file nothing is recorded, I deleted the file as well and it did not create it. When using VBS I recieved the error of the file not there, when using the BAT file it just runs through the script.

    I believe the BAT is the way to go since it does not inform the user that it is logging there time, remember they are stealing and we dont want them to know we are monitoring, anyway here is the code copied from the above site.

    Thank you

    ' ParseLogons.vbs
    ' VBScript program to parse log files created by logon and logoff
    ' scripts similar to Logon5.vbs. The program outputs one line for each
    ' session with the computer and user names, logon date/time, logoff
    ' date/time, and the difference in hours, minutes, and seconds.
    ' ----------------------------------------------------------------------
    ' Copyright (c) 2009 Richard L. Mueller
    ' Hilltop Lab web site -
    ' Version 1.0 - May 5, 2009
    ' Version 1.1 - November 4, 2010
    ' You have a royalty-free right to use, modify, reproduce, and
    ' distribute this script file in any way you find useful, provided that
    ' you agree that the copyright owner above has no warranty, obligations,
    ' or liability for such use.

    Option Explicit

    Dim strLogFile, objFSO, objLog, strLine, arrValues
    Dim strAction, strDate, strComputer, strUser
    Dim objUserList, intDuration, intHr, intMin, strSec, strSession

    Const ForReading = 1

    ' Specify the shared logfile.
    strLogFile = "\\TS1\SharedData$\Log File\Domain.log"

    ' Dictionary object of user sessions and logon dates.
    Set objUserList = CreateObject("Scripting.Dictionary")
    objUserList.CompareMode = vbTextCompare

    ' Open the log file for read access.
    Set objFSO = CreateObject("Scripting.FileSystemObject")
    Set objLog = objFSO.OpenTextFile(strLogFile, ForReading)

    ' Output header line.
    Wscript.Echo "User Session,Logon,Logoff,Duration (hh:mm:ss)"

    ' Read each line of the log file.
    Do Until objLog.AtEndOfStream
        strLine = Trim(objLog.ReadLine)
        ' Skip blank lines.
        If (strLine <> "") Then
            ' Parse the line into semicolon delimited fields.
            arrValues = Split(strLine, ";")
            ' There should be at least 4 fields in each line.
            If (UBound(arrValues) > 2) Then
                ' Retrieve values.
                strAction = Trim(arrValues(0))
                strDate = Trim(arrValues(1))
                strComputer = Trim(arrValues(2))
                strUser = Trim(arrValues(3))
                ' Track user sessions by a combination of the
                ' computer and user names.
                strSession = strComputer & "\" & strUser
                ' Check if this line logs a logon or logoff event.
                If (strAction = "Logon") Then
                   ' Check if the last event for this session was a logon.
                    If (objUserList.Exists(strSession) = True) Then
                        ' Logoff event missing for previous logon event.
                        Wscript.Echo strSession & "," _
                            & objUserList(strSession) _
                            & ",<unknown>,<unknown>"
                    End If
                    ' Track this session and logon time
                    ' in the dictionary object.
                    objUserList(strSession) = strDate
                End If
                If (strAction = "Logoff") Then
                    ' Check if the last event for this session was a logon.
                    If (objUserList.Exists(strSession) = True) Then
                        ' Calculate how long the user was logged on.
                        intDuration = (CDate(strDate) _
                            - CDate(objUserList(strSession)))
                        intDuration = intDuration * 24
                        intHr = Fix(intDuration)
                        intMin = Fix((intDuration - intHr) * 60)
                        strSec = FormatNumber((((intDuration _
                            - intHr) * 60) - intMin) * 60, 0)
                        If (strSec = "60") Then
                            intMin = intMin + 1
                            strSec = "00"
                        End If
                        If (intMin = 60) Then
                            intHr = intHr + 1
                            intMin = 0
                        End If
                         ' Output logon and logoff times and duration
                        ' for this session.
                        Wscript.Echo strSession & "," _
                            & objUserList(strSession) _
                            & "," & strDate & "," _
                            & Right("0" & CStr(intHr), 2) _
                            & ":" & Right("0" & CStr(intMin), 2) _
                            & ":" & Right("0" & strSec, 2)
                        ' Remove entry for this session from dictionary
                        ' object to indicate the user is no longer logged on
                        ' to this computer.
                        ' Previous logon event missing.
                        Wscript.Echo strSession & ",<unknown>" _
                            & "," & strDate & ",<unknown>"
                    End If
                End If
                ' Wrong number of fields.
                Wscript.Echo "Bad line: " & strLine
            End If
        End If

    ' Loop through users still logged on at this time.
    For Each strSession In objUserList.Keys
        Wscript.Echo strSession & "," & objUserList(strSession) _
            & ",<still logged on>,<unknown>"

    ' Clean up.

    LVL 5

    Assisted Solution

    I used a batch file it was a simple code

    Echo Login %username% %date% %Time% >>"C:\mydirectory\login.txt"

    I made two batch files one began with login and other with logoff.

    You can redirect the output to csv file which will open in excel and can be easily used for reports.

    In your case you will need to replace the local path with the path of the shared location.

    Author Closing Comment

    Still couldnt get it to work, the client cought the employees cheating him red handed.

    Still going to work on it in my lab though. Thanks guys.

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    Join & Write a Comment

    Redirected folders in a windows domain can be quite useful for a number of reasons, one of them being that with redirected application data, you can give users more seamless experience when logging into different workstations.  For example, if a use…
    You may have discovered the 'Compatibility View Settings' workaround for making your SBS 2008 Remote Web Workplace 'connect to a computer' section stops 'working around' after a Windows 10 client upgrade.  That can be fixed so it 'works around' agai…
    This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
    This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now