Audit Login and Logout Events Using Login Scripts
Auditing network, and indeed local events on systems is becoming a big factor in the business world now, and while the Windows Server 2003 platform allows for extensive auditing, there is what I would loosely refer to as a major floor in the planning and eventual compiling of the auditing features. This floor resides within the Audit: Account Logon Events policy, and does not allow you to, nor is there a seperate policy for auditing of account logoff events.A Windows Server 2003 Domain COntroller does not even keep any track of a user logging off. The only event records are when a user logs on, and the nearest DC is contacted for Kerberos Authentication.
This means that the in built auditing features are useless when faced with a situation whereby managers want to check the times that their staff log in and out of the system. There is a perfectly good work around however, by the means of some simple VB and using the scripts section of a GPO (Group Policy Object).
Log File Share
The first step in this process is to create a location for the log files to be created and stored within. Create a new folder on the D:\ drive (or a drive of your choice) called LogReports. You now need to share this folder, and i would suggest sharing it as LogReports$. The $ will cause the share to be hidden from the general network, and therefore from enquizitive users who may just stumble across their own logs. You now need to check the permissions on the share, setting these to Everyone – Full Control.
The VBS Scripts
Next up is the actualy VBS that we need to create the log files. We need to create two files here, .txt files renamed to .vbs, and I would recommend creating them in the following location:
LogonLog.vbs is the first file to create, and should contain the following code:
Set objNetwork = Wscript.CreateObject(“Wscript.Network”)
Set objFSO = Wscript.CreateObject(“Scripting.FileSystemObject”)
set objTextFile = objFSO.OpenTextFile(“\\ServerName\LoginReports$\” & objNetwork.Username & “Usage.csv”,8,True)
objTextFile.WriteLine year(date()) & “-” & month(date()) & “-” & day(date()) & “,” & time() & “,Login,” & objNetwork.Username & “,” & objNetwork.ComputerName
objTextFile.close
So, a quick run through what this code is saying…First off we tell it to move onto the next script if there are any errors while executing this code. A network object is then created, and then a file system object is created. These are needed as we are catching network information, and placing it into our local file system. The second part of the code creates a text file object, sets the location of the file (our share) and specifies what data to log, and the file name. If you notice, we have specified objNetwork.Username which gives us who is logging in, and then concatonate that to Usage.csv. This will give us a file name of AdministratorUsage.csv for example. 8 specifies that the file is appendable, and true allows the file to be created if it does not already exist.
LogoutLog.vbs is up next, and is pretty much the same, but for the word logout.
Set objNetwork = Wscript.CreateObject(“Wscript.Network”)
Set objFSO = Wscript.CreateObject(“Scripting.FileSystemObject”)
set objTextFile = objFSO.OpenTextFile(“\\ServerName\LoginReports$\” & objNetwork.Username & “Usage.csv”,8,True)
objTextFile.WriteLine year(date()) & “-” & month(date()) & “-” & day(date()) & “,” & time() & “,Logout,” & objNetwork.Username & “,” & objNetwork.ComputerName
objTextFile.close
Creating The Policy To Apply The Scipts
You now need to specify a policy to apply these new scripts. Create a new GPO called Audit Scripts, and link this to the Domain level. You could also link this to the OU level as well should you only want to apply the audits to specific departments etc. Open the GPO in the GP Editor, and expand the tree to:
For both logon and logoff, view the poperties, hit the add button, and browse to the relevent script you have just created in the SYSVOL folder.
Testing The Policy
That is all there is to this, and all you now have to do is refresh the policy, and run some test logins and logouts. Try it with a few different usernames if possible to get an idea of what csv files are produced here.
Viewing The Log Files
To view the logs, browse to the share you created before, and simply find the log for the user you need to check up on. They should be viewable in either notepad or excel, and should resemble something similar to the following text:
2008-12-17, 0:05:55 AM, Logout, Administrator, ComputerName
2008-12-17, 0:07:32 AM, Login, Administrator, ComputerName
One Last Consideration
One last thing you may want to consider is the fact that the share has Everyone – Full Control share permissions. You may want to lock this down with the use of NTFS permissions, but you need to remember that its the user who is running the scripts, and as such needs sufficient permissions to create and update the csv file within the share.
