Thursday, February 27, 2014

Looking for an easier way to audit (Track or Report) windows logon / logouts?

This comes up a lot, that internal admins or management wants the ability to track user's logons, only auditing is to complex to navigate.

The traditional way is to enable event log auditing of logons.  In order to accomplish this, your domain will need to be configured to audit logon events.  To do this, you'd create a GPO and set "Audit account logon events" to both success and failure.  This is done under "Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy."  Once this is configured, you can utilize the tool ADAudit+ to generate reports based on this information.  http://www.manageengine.com/products/active-directory-audit/user-logon-audit-reports.html#workstation.

Another simple approach can be done via login scripts.
 - Create a shared folder on the network. Everyone should have full access to this share.  In my example, I'll use "access"
 - In that folder, create a folder called User and a folder called Computer (just whichever one you want to use).
 - Create a Login.bat batch file-
          Name- Login.bat
          Option 1 -          
          rem The following line creates a rolling log file of usage by workstation
          echo Log In %Date% %TIME% %USERNAME% >>                        
          \\server\access\computer\%COMPUTERNAME%.log
         
          Option 2 -          
          rem The following line creates a rolling log file of usage by user
          echo Log In %Date% %TIME% %COMPUTERNAME% >> \\server\access\user\%USERNAME%.log
 - Create a Logout.bat batch file-
          Name- Logout.bat
          Option 1 -  
          rem The following line creates a rolling log file of usage by workstation
          echo Log Off %Date% %TIME% %USERNAME% >> \\server\access\computer\%COMPUTERNAME%.log

          Option 2 -
          rem The following line creates a rolling log file of usage by user
          echo Log Off %Date% %TIME% %COMPUTERNAME% >> \\server\logs\user\%USERNAME%.log
 - Put these files in the Access shared folder.
 - Create a GPO, Under "User Configuration\Windows Settings\Scripts", add login.bat to the Logon Scripts box and logout.bat to the Logout Scripts box.

1 comment:

  1. Great, thanks for sharing the useful information, this article explanation related to how track logon or logoff activity. I also found the good information about it from http://www.lepide.com/lepideauditor/active-directory.html. It helps to track every single active directory user logon/logoff activity. It allows to generate specific reports based on defined objects, classes, etc and save them in CSV, PDF or MHT format.

    ReplyDelete