2011-06-28

Track Users logon/logoff activity in Windows Domain environment (Active Directory)

Sorry for bad formatting, but I'm using wordpress for bloging now and this is just copy paste without any additional work. You can view this post here for better looks: http://www.pupils.lt/?p=447

If you find yourself in need to quickly review historical logon/logoff information in your environment then following might be useful in future.

So how are we going to track user logon information?

Answer is by implementing user logon logoff scripts in Group Policy.

Steps

1) Share a directory on network where logs will be saved.

Share a folder with full access permissions for everyone, as well as full NTFS permissions for users which you want to log. It is recommended that you make a hidden share \\server\share$\. In this scenario I will use 2 folders in shared location, one for computers \\server\share$\computers\ and another for users \\server\share$\users\.

2) Create a .bat file with necessary commands for logon and logoff events.

a) Create logon.bat with the contents below and put it in the \\server\share$\logon.bat

ver >>\\server\share$\computers\%computername%.txt
echo %username% logged on %date% - %time% >>\\server\share$\computers\%computername%.txt
ipconfig /all |findstr Address >>\\server\share$\computers\%computername%.txt\\server\share$\users\%username%.txt
echo %computername% logged on %date% - %time% >>\\server\share$\users\%username%.txt
ipconfig /all |findstr Address >>\\server\share$\users\%username%.txt


First command returns OS version and writes it to computer_name.txt on your share.

Second command writes username of logged on user with the date when the script was run and writes it to computer_name.txt on your share.

Third command returns IP and Mac addresses of network connections and also writes them to computer_name.txt on your share.

Next three commands do exactly the same as above, but writes all info into user_name.txt files \\server\share$\users

b) Create logoff.bat with the contents below and put it in the \\server\share$\logoff.bat

echo %username% logged off %date% - %time% >>\\server\share$\computers\%computername%.txtecho %computername% logged off %date% - %time% >>\\server\share$\users\%username%.txt


Of course you can modify .bat files to suit your needs.

3) Enable .bat files to run on user logon and logoff via Group Policy.

Now we need to make those .bat files run every time users logon and logoff.

Open Group Policy Management, Create and Link GPO to the OU where targeted users reside. Now right click that that GPO and choose Edit. Navigate to User Configuration\Windows Settings\Scripts Logon/Logoff double click on Logon and then Add, browse for logon.bat (\\server\share$\logon.bat) and click OK two times. Now open Logoff click Add and navigate for logoff.bat (\\server\share$\logoff.bat) and click OK two times.



All set. To test it firs update group policy on a target computer with gpupdate /force command. Then logoff and logon with a test user which resides within the OU where your GPO applies.

If your test users is A.Test and computer TESTXP you should get 2 files created:

\\server\share$\computers\TESTXP.txt with the following contents:

Microsoft Windows XP [Version 5.1.2600]
A.test logged on 2011.06.28 - 11:45:14,44
Physical Address. . . . . . . . . : 00-0C-0C-60-C2-FA
IP Address. . . . . . . . . . . . : 192.168.1.15
A.test logged off 2011.06.28 - 11:45:50,35


and \\server\share$\users\A.test.txt with the following contents:

Microsoft Windows XP [Version 5.1.2600]
TESTXP logged on 2011.06.28 - 11:45:15,82
Physical Address. . . . . . . . . : 00-0C-0C-60-C2-FA
IP Address. . . . . . . . . . . . : 192.168.1.15
TESTXP logged off 2011.06.28 - 11:45:50,37

5 comments:

  1. Anonymous14.10.13

    See also the following articles http://www.morgantechspace.com/2013/10/logon-and-logoff-events-in-active.html

    http://www.morgantechspace.com/2013/10/tracking-user-logon-activity-using.html

    ReplyDelete
  2. Thanks for nice information, this article explanation related to how track logon or logoff activity. I also found the good information about it from http://auditingactivedirectory.blogspot.in/2014/08/track-ad-user-logon-and-logoff-activity.html. It helps to track every single active directory user logon/logoff activity. It allows to generate specific reports based on defined objects, classes, etc and save them in CSV, PDF or MHT format.

    ReplyDelete
  3. Anonymous20.10.14

    Awsome... Works great! Thanks for the info. It was well stated and easy to use.

    ReplyDelete
  4. It doesn't work for me. The script only gather the domain server logon/logoff activity. For client machine, it doesn't show any things.

    ReplyDelete
  5. Nice article, Thanks for sharing this information to track user logon and logoff activity. I also checkout this article https://www.netwrix.com/how_to_monitor_user_logons_in_domain.html which assists to detect malicious activity before a data breach occurs and User logon auditing is the only way to detect all unauthorized attempts to log in to a domain.

    ReplyDelete