• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 292
  • Last Modified:

Viewing Log in and off in AD on SBS08

I have a request from a client to see when certain users are logging in and off, he thinks his employees are taking advantage of him. Can you please tell me how to check log on and off times per user? Thanks
  • 4
  • 3
  • 3
  • +2
5 Solutions
You'll need to enable account Logon events using Group Policy, then you can check the security events on the DC or the isers PC.
To make things easier you can use a progrem like eventscmb to consolidate the logs.


The events comb tool has handy if you have many DC's, its part of the account lockout tools available here:

To download the EventCombMT utility, visit the following Microsoft Web site:
There's no central way to do this - the logon timestamps stored in AD apply to the account. Any logon of the account (not just via a workstation) is recorded.

Honestly, the best approaches to this issue is having the user login to an application (or web app) that records the login/logout times. Some products run at a user's login or logoff and do this in the background, but I've personally never seen one that worked well enough even in a somewhat medium-sized environment.

It is possible to, via WMI or other methods, to query each computer and find the last login for a particular user (or the last login for all users on the PC), but it requires all the PCs to be online and connectable, and a user may have logged into more than 1 PC. It's not really a reliable solution, but I wanted to note it.
That can work for an ad-hoc check to grab all logins. Then you could put that data into a spreadsheet or database and filter on the person you are checking. However, putting the data into a form that can be used for checking the logon at any workstation (or any specified auth source) would take some effort. Those events are designed to be used for auditing purposes, not regular tracking of users.
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

You can write a simple logon and logoff script and apply it to those users.

I did it once for a simliar request the script just updated a text file shared on a network with the username and Time.

The CEO used to read the file himself and it was easy.

Good idea. That works fine for a basic check (assuming the computer is connectable to the share at the logon). However, logon scripts run under the context of the logged in user, so the user can just go into the file and edit it himself or view other user's info. For a very small company, that's usually acceptable (but make sure they know the risk!). I do enterprise solutions, which this would not be allowed.
Yes you may be right :), if you are looking for something robust you will need to rely on the eventlog.
Muzafar MominCommented:
troyt93955Author Commented:
I tried to do the account audits, the problem I ran in to is it displays N/A under the user column.
I need specific users. I like the idea of the logon script. I am going to try this today. I will keep you posted. Thanks for your help
troyt93955Author Commented:
Should I name the file with .bat or .vbs?
troyt93955Author Commented:
Ok... so I used the following script provided from above and copied here. When I named file as .vbs it would bring up that the user is being audited, dont want that. So I renamed it as .bat eveything seemd to work okay. However, when I went to go look at the log file nothing is recorded, I deleted the file as well and it did not create it. When using VBS I recieved the error of the file not there, when using the BAT file it just runs through the script.

I believe the BAT is the way to go since it does not inform the user that it is logging there time, remember they are stealing and we dont want them to know we are monitoring, anyway here is the code copied from the above site.

Thank you

' ParseLogons.vbs
' VBScript program to parse log files created by logon and logoff
' scripts similar to Logon5.vbs. The program outputs one line for each
' session with the computer and user names, logon date/time, logoff
' date/time, and the difference in hours, minutes, and seconds.
' ----------------------------------------------------------------------
' Copyright (c) 2009 Richard L. Mueller
' Hilltop Lab web site - http://www.rlmueller.net
' Version 1.0 - May 5, 2009
' Version 1.1 - November 4, 2010
' You have a royalty-free right to use, modify, reproduce, and
' distribute this script file in any way you find useful, provided that
' you agree that the copyright owner above has no warranty, obligations,
' or liability for such use.

Option Explicit

Dim strLogFile, objFSO, objLog, strLine, arrValues
Dim strAction, strDate, strComputer, strUser
Dim objUserList, intDuration, intHr, intMin, strSec, strSession

Const ForReading = 1

' Specify the shared logfile.
strLogFile = "\\TS1\SharedData$\Log File\Domain.log"

' Dictionary object of user sessions and logon dates.
Set objUserList = CreateObject("Scripting.Dictionary")
objUserList.CompareMode = vbTextCompare

' Open the log file for read access.
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objLog = objFSO.OpenTextFile(strLogFile, ForReading)

' Output header line.
Wscript.Echo "User Session,Logon,Logoff,Duration (hh:mm:ss)"

' Read each line of the log file.
Do Until objLog.AtEndOfStream
    strLine = Trim(objLog.ReadLine)
    ' Skip blank lines.
    If (strLine <> "") Then
        ' Parse the line into semicolon delimited fields.
        arrValues = Split(strLine, ";")
        ' There should be at least 4 fields in each line.
        If (UBound(arrValues) > 2) Then
            ' Retrieve values.
            strAction = Trim(arrValues(0))
            strDate = Trim(arrValues(1))
            strComputer = Trim(arrValues(2))
            strUser = Trim(arrValues(3))
            ' Track user sessions by a combination of the
            ' computer and user names.
            strSession = strComputer & "\" & strUser
            ' Check if this line logs a logon or logoff event.
            If (strAction = "Logon") Then
               ' Check if the last event for this session was a logon.
                If (objUserList.Exists(strSession) = True) Then
                    ' Logoff event missing for previous logon event.
                    Wscript.Echo strSession & "," _
                        & objUserList(strSession) _
                        & ",<unknown>,<unknown>"
                End If
                ' Track this session and logon time
                ' in the dictionary object.
                objUserList(strSession) = strDate
            End If
            If (strAction = "Logoff") Then
                ' Check if the last event for this session was a logon.
                If (objUserList.Exists(strSession) = True) Then
                    ' Calculate how long the user was logged on.
                    intDuration = (CDate(strDate) _
                        - CDate(objUserList(strSession)))
                    intDuration = intDuration * 24
                    intHr = Fix(intDuration)
                    intMin = Fix((intDuration - intHr) * 60)
                    strSec = FormatNumber((((intDuration _
                        - intHr) * 60) - intMin) * 60, 0)
                    If (strSec = "60") Then
                        intMin = intMin + 1
                        strSec = "00"
                    End If
                    If (intMin = 60) Then
                        intHr = intHr + 1
                        intMin = 0
                    End If
                     ' Output logon and logoff times and duration
                    ' for this session.
                    Wscript.Echo strSession & "," _
                        & objUserList(strSession) _
                        & "," & strDate & "," _
                        & Right("0" & CStr(intHr), 2) _
                        & ":" & Right("0" & CStr(intMin), 2) _
                        & ":" & Right("0" & strSec, 2)
                    ' Remove entry for this session from dictionary
                    ' object to indicate the user is no longer logged on
                    ' to this computer.
                    ' Previous logon event missing.
                    Wscript.Echo strSession & ",<unknown>" _
                        & "," & strDate & ",<unknown>"
                End If
            End If
            ' Wrong number of fields.
            Wscript.Echo "Bad line: " & strLine
        End If
    End If

' Loop through users still logged on at this time.
For Each strSession In objUserList.Keys
    Wscript.Echo strSession & "," & objUserList(strSession) _
        & ",<still logged on>,<unknown>"

' Clean up.

I used a batch file it was a simple code

Echo Login %username% %date% %Time% >>"C:\mydirectory\login.txt"

I made two batch files one began with login and other with logoff.

You can redirect the output to csv file which will open in excel and can be easily used for reports.

In your case you will need to replace the local path with the path of the shared location.
troyt93955Author Commented:
Still couldnt get it to work, the client cought the employees cheating him red handed.

Still going to work on it in my lab though. Thanks guys.

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

  • 4
  • 3
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now