Viewing Log in and off in AD on SBS08
I have a request from a client to see when certain users are logging in and off, he thinks his employees are taking advantage of him. Can you please tell me how to check log on and off times per user? Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
@SaadAhmedFarooqui
Good idea. That works fine for a basic check (assuming the computer is connectable to the share at the logon). However, logon scripts run under the context of the logged in user, so the user can just go into the file and edit it himself or view other user's info. For a very small company, that's usually acceptable (but make sure they know the risk!). I do enterprise solutions, which this would not be allowed.
Good idea. That works fine for a basic check (assuming the computer is connectable to the share at the logon). However, logon scripts run under the context of the logged in user, so the user can just go into the file and edit it himself or view other user's info. For a very small company, that's usually acceptable (but make sure they know the risk!). I do enterprise solutions, which this would not be allowed.
Yes you may be right :), if you are looking for something robust you will need to rely on the eventlog.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi,
I tried to do the account audits, the problem I ran in to is it displays N/A under the user column.
I need specific users. I like the idea of the logon script. I am going to try this today. I will keep you posted. Thanks for your help
I tried to do the account audits, the problem I ran in to is it displays N/A under the user column.
I need specific users. I like the idea of the logon script. I am going to try this today. I will keep you posted. Thanks for your help
ASKER
Should I name the file with .bat or .vbs?
ASKER
Ok... so I used the following script provided from above and copied here. When I named file as .vbs it would bring up that the user is being audited, dont want that. So I renamed it as .bat eveything seemd to work okay. However, when I went to go look at the log file nothing is recorded, I deleted the file as well and it did not create it. When using VBS I recieved the error of the file not there, when using the BAT file it just runs through the script.
I believe the BAT is the way to go since it does not inform the user that it is logging there time, remember they are stealing and we dont want them to know we are monitoring, anyway here is the code copied from the above site.
Thank you
' ParseLogons.vbs
' VBScript program to parse log files created by logon and logoff
' scripts similar to Logon5.vbs. The program outputs one line for each
' session with the computer and user names, logon date/time, logoff
' date/time, and the difference in hours, minutes, and seconds.
'
' --------------------------
' Copyright (c) 2009 Richard L. Mueller
' Hilltop Lab web site - http://www.rlmueller.net
' Version 1.0 - May 5, 2009
' Version 1.1 - November 4, 2010
'
' You have a royalty-free right to use, modify, reproduce, and
' distribute this script file in any way you find useful, provided that
' you agree that the copyright owner above has no warranty, obligations,
' or liability for such use.
Option Explicit
Dim strLogFile, objFSO, objLog, strLine, arrValues
Dim strAction, strDate, strComputer, strUser
Dim objUserList, intDuration, intHr, intMin, strSec, strSession
Const ForReading = 1
' Specify the shared logfile.
strLogFile = "\\TS1\SharedData$\Log File\Domain.log"
' Dictionary object of user sessions and logon dates.
Set objUserList = CreateObject("Scripting.Di
objUserList.CompareMode = vbTextCompare
' Open the log file for read access.
Set objFSO = CreateObject("Scripting.Fi
Set objLog = objFSO.OpenTextFile(strLog
' Output header line.
Wscript.Echo "User Session,Logon,Logoff,Durat
' Read each line of the log file.
Do Until objLog.AtEndOfStream
strLine = Trim(objLog.ReadLine)
' Skip blank lines.
If (strLine <> "") Then
' Parse the line into semicolon delimited fields.
arrValues = Split(strLine, ";")
' There should be at least 4 fields in each line.
If (UBound(arrValues) > 2) Then
' Retrieve values.
strAction = Trim(arrValues(0))
strDate = Trim(arrValues(1))
strComputer = Trim(arrValues(2))
strUser = Trim(arrValues(3))
' Track user sessions by a combination of the
' computer and user names.
strSession = strComputer & "\" & strUser
' Check if this line logs a logon or logoff event.
If (strAction = "Logon") Then
' Check if the last event for this session was a logon.
If (objUserList.Exists(strSes
' Logoff event missing for previous logon event.
Wscript.Echo strSession & "," _
& objUserList(strSession) _
& ",<unknown>,<unknown>"
End If
' Track this session and logon time
' in the dictionary object.
objUserList(strSession) = strDate
End If
If (strAction = "Logoff") Then
' Check if the last event for this session was a logon.
If (objUserList.Exists(strSes
' Calculate how long the user was logged on.
intDuration = (CDate(strDate) _
- CDate(objUserList(strSessi
intDuration = intDuration * 24
intHr = Fix(intDuration)
intMin = Fix((intDuration - intHr) * 60)
strSec = FormatNumber((((intDuratio
- intHr) * 60) - intMin) * 60, 0)
If (strSec = "60") Then
intMin = intMin + 1
strSec = "00"
End If
If (intMin = 60) Then
intHr = intHr + 1
intMin = 0
End If
' Output logon and logoff times and duration
' for this session.
Wscript.Echo strSession & "," _
& objUserList(strSession) _
& "," & strDate & "," _
& Right("0" & CStr(intHr), 2) _
& ":" & Right("0" & CStr(intMin), 2) _
& ":" & Right("0" & strSec, 2)
' Remove entry for this session from dictionary
' object to indicate the user is no longer logged on
' to this computer.
objUserList.Remove(strSess
Else
' Previous logon event missing.
Wscript.Echo strSession & ",<unknown>" _
& "," & strDate & ",<unknown>"
End If
End If
Else
' Wrong number of fields.
Wscript.Echo "Bad line: " & strLine
End If
End If
Loop
' Loop through users still logged on at this time.
For Each strSession In objUserList.Keys
Wscript.Echo strSession & "," & objUserList(strSession) _
& ",<still logged on>,<unknown>"
Next
' Clean up.
objLog.Close
I believe the BAT is the way to go since it does not inform the user that it is logging there time, remember they are stealing and we dont want them to know we are monitoring, anyway here is the code copied from the above site.
Thank you
' ParseLogons.vbs
' VBScript program to parse log files created by logon and logoff
' scripts similar to Logon5.vbs. The program outputs one line for each
' session with the computer and user names, logon date/time, logoff
' date/time, and the difference in hours, minutes, and seconds.
'
' --------------------------
' Copyright (c) 2009 Richard L. Mueller
' Hilltop Lab web site - http://www.rlmueller.net
' Version 1.0 - May 5, 2009
' Version 1.1 - November 4, 2010
'
' You have a royalty-free right to use, modify, reproduce, and
' distribute this script file in any way you find useful, provided that
' you agree that the copyright owner above has no warranty, obligations,
' or liability for such use.
Option Explicit
Dim strLogFile, objFSO, objLog, strLine, arrValues
Dim strAction, strDate, strComputer, strUser
Dim objUserList, intDuration, intHr, intMin, strSec, strSession
Const ForReading = 1
' Specify the shared logfile.
strLogFile = "\\TS1\SharedData$\Log File\Domain.log"
' Dictionary object of user sessions and logon dates.
Set objUserList = CreateObject("Scripting.Di
objUserList.CompareMode = vbTextCompare
' Open the log file for read access.
Set objFSO = CreateObject("Scripting.Fi
Set objLog = objFSO.OpenTextFile(strLog
' Output header line.
Wscript.Echo "User Session,Logon,Logoff,Durat
' Read each line of the log file.
Do Until objLog.AtEndOfStream
strLine = Trim(objLog.ReadLine)
' Skip blank lines.
If (strLine <> "") Then
' Parse the line into semicolon delimited fields.
arrValues = Split(strLine, ";")
' There should be at least 4 fields in each line.
If (UBound(arrValues) > 2) Then
' Retrieve values.
strAction = Trim(arrValues(0))
strDate = Trim(arrValues(1))
strComputer = Trim(arrValues(2))
strUser = Trim(arrValues(3))
' Track user sessions by a combination of the
' computer and user names.
strSession = strComputer & "\" & strUser
' Check if this line logs a logon or logoff event.
If (strAction = "Logon") Then
' Check if the last event for this session was a logon.
If (objUserList.Exists(strSes
' Logoff event missing for previous logon event.
Wscript.Echo strSession & "," _
& objUserList(strSession) _
& ",<unknown>,<unknown>"
End If
' Track this session and logon time
' in the dictionary object.
objUserList(strSession) = strDate
End If
If (strAction = "Logoff") Then
' Check if the last event for this session was a logon.
If (objUserList.Exists(strSes
' Calculate how long the user was logged on.
intDuration = (CDate(strDate) _
- CDate(objUserList(strSessi
intDuration = intDuration * 24
intHr = Fix(intDuration)
intMin = Fix((intDuration - intHr) * 60)
strSec = FormatNumber((((intDuratio
- intHr) * 60) - intMin) * 60, 0)
If (strSec = "60") Then
intMin = intMin + 1
strSec = "00"
End If
If (intMin = 60) Then
intHr = intHr + 1
intMin = 0
End If
' Output logon and logoff times and duration
' for this session.
Wscript.Echo strSession & "," _
& objUserList(strSession) _
& "," & strDate & "," _
& Right("0" & CStr(intHr), 2) _
& ":" & Right("0" & CStr(intMin), 2) _
& ":" & Right("0" & strSec, 2)
' Remove entry for this session from dictionary
' object to indicate the user is no longer logged on
' to this computer.
objUserList.Remove(strSess
Else
' Previous logon event missing.
Wscript.Echo strSession & ",<unknown>" _
& "," & strDate & ",<unknown>"
End If
End If
Else
' Wrong number of fields.
Wscript.Echo "Bad line: " & strLine
End If
End If
Loop
' Loop through users still logged on at this time.
For Each strSession In objUserList.Keys
Wscript.Echo strSession & "," & objUserList(strSession) _
& ",<still logged on>,<unknown>"
Next
' Clean up.
objLog.Close
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Still couldnt get it to work, the client cought the employees cheating him red handed.
Still going to work on it in my lab though. Thanks guys.
Still going to work on it in my lab though. Thanks guys.
That can work for an ad-hoc check to grab all logins. Then you could put that data into a spreadsheet or database and filter on the person you are checking. However, putting the data into a form that can be used for checking the logon at any workstation (or any specified auth source) would take some effort. Those events are designed to be used for auditing purposes, not regular tracking of users.