Solved

need to generate login our for a user - Active Directory

Posted on 2014-11-25
12
57 Views
Last Modified: 2014-12-01
need a report csv
0
Comment
Question by:Jorge Ocampo
  • 4
  • 4
  • 2
  • +2
12 Comments
 
LVL 3

Expert Comment

by:Barry Molenwijk
ID: 40465117
Could you please specify your exact needs as in input and output?
0
 
LVL 39

Expert Comment

by:footech
ID: 40465124
@Jorge - I've seen a number of questions that you've started here, and I've got some advice/a request for you.
PLEASE include more details in your questions.  If you don't put any effort into your question, you're likely to get the same amount of effort (i.e. none) in any replies.  Do whatever you can so that the first reply isn't a request for more information.
0
 
LVL 2

Author Comment

by:Jorge Ocampo
ID: 40465135
i need to know when he logged in and logged off as much information as possible about the login times for this user
0
 
LVL 6

Accepted Solution

by:
Asif Bacchus earned 500 total points
ID: 40465302
I'm assuming you'd like a log of when a user logs in and out and from what machine, etc.?  I do this for every company I consult for and it save me tons of time down the road.  This is the exact setup I use... it's quite a few steps but really simple:

First, setup a hidden share on your server, I call my MONITORING$.  You do this like any other share, except you put the $ symbol after the name to tell Windows it's hidden by default.

Now create a file called Login.cmd, open notepad and type the following then save the file:
@echo off
echo Login from: %COMPUTERNAME%, Username: %USERNAME%, Date: %DATE%, Time: %TIME% >> \\SERVER_NAME\Monitoring$\%USERNAME%.csv

Open in new window

This will write a line to a text file that states the computer, user's name, date and time of the login.  REMEMBER TO CHANGE SERVER_NAME TO MATCH YOUR SERVER!  Also, change the path to the hidden share you created as necessary.

Now create a file called Logoff.cmd, open notepad and type the following then save the file:
@echo off
echo Logoff from: %COMPUTERNAME%, Username: %USERNAME%, Date: %DATE%, Time: %TIME% >> \\SERVER_NAME\Monitoring$\%USERNAME%.csv

Open in new window

This is virtually the same file, except the text is changed to read Logoff.  Again, remember to change SERVER_NAME and the path to your share as needed.

Now, create a new GPO (I call my Monitoring) and navigate to User Configuration > Policies > Windows Settings > Scripts (Logon/Logoff).  

Open the Logon option and click the Show Files... button.  This will open an Explorer window.  Copy your Logon.cmd file to this location and close Explorer.  Back on the Logon Properties window, click Add... and Browse, select your Logon.cmd file and click Open.  There are no parameters needed, so leave it blank, and click OK.  Click OK again.

Repeat this process for the Logoff option but this time copy your Logoff.cmd file and select it.

Now apply this GPO to any relevant USERS/USER OUs you'd like to monitor and you'll have your logfiles start appearing in your hidden share.

HTH.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 40465311
You need to enable logging on your domain and then search the event logs.  Good overview here

http://www.morgantechspace.com/2013/10/enable-active-directory-logonlogoff.html

There are third party tools that make this easier as going through logs on  multiple DCs in a large environment can be a pain.    You can also use PowerShell to scan for events get-winevent

Thanks

Mike
0
 
LVL 6

Expert Comment

by:Asif Bacchus
ID: 40465316
Agree with Mike that auditing is the way to go, but since you asked specifically for a CSV option that's why I posted my suggestion above.  If you have the budget, then Mike is also correct that 3rd party options provide much 'nicer' output options for your logs.

Cheers.
0
 
LVL 2

Author Comment

by:Jorge Ocampo
ID: 40465319
dont need nothing fancy just a simple output "Username last logged in times 10AM 11/1/14, 9AM 11/2/14 etc
0
 
LVL 2

Author Comment

by:Jorge Ocampo
ID: 40465328
@asif great stuff by the way but right now i just need to find out time stamps for a user that left.
0
 
LVL 3

Expert Comment

by:Barry Molenwijk
ID: 40465351
If it's not being audited or logged elsewhere right now Jorge, there's no way of getting that information.
0
 
LVL 2

Author Comment

by:Jorge Ocampo
ID: 40465436
well AD audit is on by default so i would just need a way to retrieve the information
0
 
LVL 6

Expert Comment

by:Asif Bacchus
ID: 40468598
I think you'd be stuck searching through the audit logs to find that information then.  You can filter for Event IDs 528 for a successful logon and 538 for a successful logoff.  Please see http://technet.microsoft.com/en-ca/library/cc787567(v=ws.10).aspx for all Event IDs including failure.

HTH.
0
 
LVL 6

Expert Comment

by:Asif Bacchus
ID: 40475325
Glad you got everything sorted out!
0

Join & Write a Comment

Utilizing an array to gracefully append to a list of EmailAddresses
Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now