We are running Languard SELM v4(Security Event Log Monitor) to gather domain controller security evt logs and compile the events into a database. My boss wants to be able to determine the time users log onto the domain as well as when they log off. The problem is that this data that is being gathered is not really telling me anything because apparently logon events (mostly 528, but sometimes 540 also) are added to the log when someone maps a drive, or is authenticated in a way other than logging onto the domain. Have the same problem with logoffs (538). I don't care about when someone maps a drive or opens their email and authenticates to the exchange server, all I want to know is domain logon/logoff times. How can I get this? We have all W2K Prof workstations, but an NT4 domain with all NT4 DCs. Will be going to Active Directory in the next year. Is there any built-in functionality in AD that serves this purpose? How can I do it before we go to AD?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Need help with how to determine logon/logoff times 1
- Thread starter Andronium
- Start date
-
1
- #2
tcambridge
IS-IT--Management
Andronium,
You can try this little vbs script. I'm not sure why the logoff time doesn't show, but it does work for the last logon.
Save it with a vbs extension and run it on your DC. You may want to redirect the output to a file, since it will probably be very long!
Or, you can go to:
And get a copy of Hyena. The Great tool for NT/2000 networks.
Good Luck!
Tim
Certified AND Qualified
![[thumbsup2]](/data/assets/smilies/thumbsup2.gif "[thumbsup2] [thumbsup2]")
You can try this little vbs script. I'm not sure why the logoff time doesn't show, but it does work for the last logon.
Code:
On Error Resume Next
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colItems = objWMIService.ExecQuery("Select * from Win32_NetworkLoginProfile",,48)
For Each objItem in colItems
Wscript.Echo "FullName: " & objItem.FullName
Wscript.Echo "Name: " & objItem.Name
Wscript.Echo "LastLogoff: " & objItem.LastLogoff
Wscript.Echo "LastLogon: " & objItem.LastLogon
Wscript.Echo ""
NextSave it with a vbs extension and run it on your DC. You may want to redirect the output to a file, since it will probably be very long!
Or, you can go to:
And get a copy of Hyena. The Great tool for NT/2000 networks.
Good Luck!
Tim
Certified AND Qualified
- Thread starter
- #3
tcambridge
IS-IT--Management
I'm not sure how to do it in the script, but your command line should look like this:
cscript filename.vbs > c:\temp\lastlogon.txt
Another alternative is a utility I just found yesterday on the Windows 2000 Resource Kit called USRSTAT. If you use that, your command line will look like this:
usrstat domain > c:\temp\lastlogon.txt
It's a hyphen-delineated file, so you should be able to import it into Excel or Access to manipulate as you desire.
Good Luck!
Tim
Certified AND Qualified
cscript filename.vbs > c:\temp\lastlogon.txt
Another alternative is a utility I just found yesterday on the Windows 2000 Resource Kit called USRSTAT. If you use that, your command line will look like this:
usrstat domain > c:\temp\lastlogon.txt
It's a hyphen-delineated file, so you should be able to import it into Excel or Access to manipulate as you desire.
Good Luck!
Tim
Certified AND Qualified
Stevehewitt
IS-IT--Management
Hey,
Thanks, this script is really handy - a star for you!
On little query (I'm a WSH newbie!), why does it show that the logon time is 20030515114918.000000+060 and nothing in logoff time? I copied and pasted it into notepad, saved it as a .vbs and ran it in cmd as you have said above.
Any ideas?
Thanks in advance,
Steve Hewitt
Thanks, this script is really handy - a star for you!
On little query (I'm a WSH newbie!), why does it show that the logon time is 20030515114918.000000+060 and nothing in logoff time? I copied and pasted it into notepad, saved it as a .vbs and ran it in cmd as you have said above.
Any ideas?
Thanks in advance,
Steve Hewitt
tcambridge
IS-IT--Management
Steve,
I'm not sure why it doesn't show a logoff time. The first eight numbers are the date (YYYYMMDD) and the last six is the time in 24-hour format - GMT.
If you have the resource kit, you can give USRSTAT a try. It comes out a litte neater, but it still doesn't have anything for logoff time. Also, with USRSTAT, it checks ALL of your DCs, so keep that in mind when you look at the file.
Good Luck!
Tim
Certified AND Qualified
I'm not sure why it doesn't show a logoff time. The first eight numbers are the date (YYYYMMDD) and the last six is the time in 24-hour format - GMT.
If you have the resource kit, you can give USRSTAT a try. It comes out a litte neater, but it still doesn't have anything for logoff time. Also, with USRSTAT, it checks ALL of your DCs, so keep that in mind when you look at the file.
Good Luck!
Tim
Certified AND Qualified
Stevehewitt
IS-IT--Management
Cheers,
I'll give it a go. Thanks.
Steve Hewitt
I'll give it a go. Thanks.
Steve Hewitt
Logoff time is not recorded in either Windows 2000 or Windows 2003. Who knows why the attribute even exists. Once you are authenticated, the DC(s) don't really care about you. Thus, there is nothing that you are actually doing when you log off that will ever inform a DC that you are gone. This is also why you need to scan all DC's for the most recent logon time to get truly accurate results. This data is now replicated in Windows 2003, but infrequently (user configurable interval).
/Siddharth
/Siddharth
- Status
