Just say you want to audit domain log on and log offs within your network. This is always a good idea to ensure that you know who is logging into what and when. I have used this method in a number of places and it has always proven to be useful for both monitoring user honesty (They worked when they said they did), and accountability (Seeing who accessed what server)
Here is the steps to get this up and running
- Create a folder in a generally accessible network share. I am going to create a folder called LOOAudit within the NETLOGON share within the domain SYSDOMAIN to allow general access and sync between domain controllers.
- Optionally you can also create a hidden share on one of your servers to receive the data. I am going to create a hidden share called LOOAudit$ on a server called MAIN to receive the data.
- Create a text file in the LOOAudit folder called LogoffLog.cmd with contents listed below.
echo LOGOFF, %username%, %computername%, %time%, %date% >> \\MAIN\LOOAudit$\%username%.txt
- Create a text file in the LOOAudit folder called LogonLog.cmd with the contents listed below.
echo LOGON, %username%, %computername%, %time%, %date% >> \\MAIN\LOOAudit$\%username%.txt
- Open the group policy management console and create a new group policy object called ‘AUDIT – Log on – off’
- Edit the group policy object and add the following information.
- User Configuration -> Policies -> Windows Settings -> Scripts -> Logon = \\SYSDOMAIN\netlogon\LOOAudit\LogonLog.cmd
- User Configuration -> Policies -> Windows Settings -> Scripts -> Logoff = \\SYSDOMAIN\netlogon\LOOAudit\LogoffLog.cmd
- Assign the group policy object to the appropriate locations within the domain (You may want to apply this at the root of the domain to monitor the entire network, or alternatively assign it to a specific set of users or workstations)
- Perform a log on and log off to a monitored machine to ensure that the files are being updated.
The script will automatically create and update a file for each username in the \\MAIN\LOOAudit$ share. If you need to see when a user has logged on or off and to what machine you can open their file and see the times that they signed in and out as per the example below. (This document can be opened in Excel to perform filtering)
LOGON, dean, TERMINAL3, 15:26:34.79, Mon 02/12/2013 LOGOFF, dean, TERMINAL3, 15:26:54.68, Mon 02/12/2013 LOGOFF, dean, TERMINAL1, 15:31:20.25, Mon 02/12/2013 LOGON, dean, TERMINAL2, 15:31:38.33, Mon 02/12/2013 LOGOFF, dean, TERMINAL2, 15:38:18.29, Mon 02/12/2013 LOGON, dean, TERMINAL1, 16:47:39.53, Wed 04/12/2013 LOGOFF, dean, TERMINAL1, 17:00:20.56, Wed 04/12/2013 LOGON, dean, TERMINAL1, 11:37:41.65, Fri 06/12/2013 LOGOFF, dean, TERMINAL1, 11:39:31.29, Fri 06/12/2013 LOGON, dean, TERMINAL1, 16:00:14.55, Fri 06/12/2013 LOGON, dean, TERMINAL4, 16:00:33.88, Fri 06/12/2013 LOGOFF, dean, TERMINAL4, 16:42:16.47, Fri 06/12/2013 LOGON, dean, TERMINAL4, 16:46:02.35, Fri 06/12/2013 LOGOFF, dean, TERMINAL4, 16:49:03.05, Fri 06/12/2013 LOGOFF, dean, TERMINAL1, 16:49:08.55, Fri 06/12/2013 LOGON, dean, TERMINAL2, 14:53:58.89, Mon 09/12/2013 LOGOFF, dean, TERMINAL2, 15:01:10.24, Mon 09/12/2013 LOGON, dean, TERMINAL7, 15:03:19.14, Mon 09/12/2013 LOGOFF, dean, TERMINAL7, 15:04:20.62, Mon 09/12/2013 LOGON, dean, TERMINAL1, 10:18:16.75, Tue 10/12/2013 LOGOFF, dean, TERMINAL1, 10:25:39.14, Tue 10/12/2013
Remember that if a user is logging into multiple machines (Or hoping from terminal to server etc) then the log on’s and off’s will not be in order.