Security problems are typically a small part of Michael Dragone's job as a
systems engineer for Titleserv, a title insurance and real estate services firm
in Woodbury, New York. But when senior management asked him to devise a way
to track employees' network logons and logoffs, Michael was challenged to find
a solution that didn't rely on the Active Directory (AD) Security event log,
which retains logons, logoffs, privilege assignments, and other events only
for a short time until they're overwritten. Michael talked to me about how he
fulfilled management's request by using straightforward batch-file scripting
to capture logon/logoff data on the clients and move that data into text files
and folders for easy retrieval.
What inspired you to create the user logon/logoff solution?
Our internal production system is a Web application based on Microsoft .NET
Framework, and it has an internal logging component that tells you when people
logged on, when they logged off, what they did, and so on. We had a lot of requests
from management to provide a similar capability for our end users' PCs. A manager
might want to know, for example, if someone requested overtime pay last month,
whether that employee was really working overtime. To confirm this, the manager
wanted to be able to find out when someone logged on or whether an employee
was working on a particular computer at a particular time. That information
is logged in AD, but it goes in the Security event log, which can't retain more
than 50MB of data and has other events besides those management wanted to track.
It would take a lot of scraping through the logs to find the information management
wanted. . . .
)
)
Register
The solution I have runs in much the same way but instead copies the file to a hidden network path, and stored in a CSV delimited file. The file contains several fields which would allow me to sort the data if necessary in an Access or Excel program. I too have it running from the GPO in the Default Domain Policy/User configuration/Windows Settings under LOGON/LOGOFF.
Here is how my bat file looks.
@Echo off
Rem Extract only the last IP address from the list
FOR /F "TOKENS=2* DELIMS=:" %%A IN ('IPCONFIG /ALL ^| FIND "IP Address"') DO FOR %%B IN (%%A) DO SET IPADDR=%%B
Rem Extract the NETBIOS name
FOR /F "TOKENS=2* DELIMS=:" %%A IN ('IPCONFIG /ALL ^| FIND "Host Name"') DO FOR %%B IN (%%A) DO SET netbiosname=%%B
Rem Extract the MAC ADDRESS
FOR /F "TOKENS=2* DELIMS=:" %%A IN ('IPCONFIG /ALL ^| FIND "Physical Address"') DO FOR %%B IN (%%A) DO SET macaddress=%%B
echo S,%DATE%,%TIME%,%username%,%netbiosname%,%ipaddr%,%macaddress% >> n:\Logs\PCs\%netbiosname%.txt
The last line saves the data to the CSV file. The 'S' stands for SignOn, use the same bat file in your logoff but replace the 'S' with an 'O' or whatever to denote sign-off.
With this solution you can look at all of the computers in one directory. I have a scheduled task which runs on the first that creates a directory and moves all of the files there.
Something else this solution solves for me is that I have users who roam the network when they login in order to do their job. A simple COPY statement of all the files and dump it to Access, and you know when and where they last logged in for the month, including our TS users.
I think you'll find this to be a better solution and no more difficult to implement and easier to manage given that the data is stored centrally.
Jake
Jakesty June 07, 2007 (Article Rating: