none
audit a user logon logoff

    Question

  • Hello:

    Looking for a simple way to audit a specific users Logon and logoff from our windows 2012 server / active directory.

    I need to run a weekly report of a users daily logon and logoff. I did enable auditing in Group Policy, but how do I run a report from the audit information?


    james luceros

    Tuesday, June 02, 2015 4:30 AM

Answers

  • Hi James,

    >>On line three I see " Computer name" do I simply place MY server name here? Do I need to change all "computer name" to my server name?

    Yes, we need to replace all "computer name" with our server name.

    >>Where do I add the username to search for?

    It's recommended that we ask for suggestions in the following forum where offers dedicated help for PowerShell scripting questions.

    Windows PowerShell

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverpowershell

    Best regards,
    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    Thursday, June 18, 2015 8:24 AM
    Moderator

All replies

  • Here you go : http://blogs.msdn.com/b/ericfitz/archive/2008/08/20/tracking-user-logon-activity-using-logon-events.aspx


    Arnav Sharma | http://arnavsharma.net/ Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Tuesday, June 02, 2015 4:54 AM
  • Have a look on this informative blog post which lets you how to audit successful logon/logoff and failed logons in Active Directory: http://www.lepide.com/blog/audit-successful-logon-logoff-and-failed-logons-in-activedirectory/
    Tuesday, June 02, 2015 5:46 AM
  • Thanks for the quick reply!

    I was hoping to find something pre-built. Unfortunately, I don't know enough about scripting to write it myself 


    james luceros

    Tuesday, June 02, 2015 12:59 PM
  • I did this much so far, now I need a script to extract it all, and put it to a file. Or, where I can copy and paste it into a deliverable file to management.

    james luceros

    Tuesday, June 02, 2015 1:01 PM
  • Thanks for the quick reply!

    I was hoping to find something pre-built. Unfortunately, I don't know enough about scripting to write it myself 


    james luceros

    Wednesday, June 03, 2015 4:39 PM
  • I did this much so far, now I need a script to extract it all, and put it to a file. Or, where I can copy and paste it into a deliverable file to management.

    james luceros

    Wednesday, June 03, 2015 4:40 PM
  • Hi James,

    >>I did this much so far, now I need a script to extract it all, and put it to a file. Or, where I can copy and paste it into a deliverable file to management.

    Before going further, the following scripts can be referred to as reference.

    PowerShell Script to fetch Logon/Logoff user on particular server {Get-WinEvent} {Get-EventLog}                                 

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/4f6815f1-2998-484c-a423-fe6507f1548c/powershell-script-to-fetch-logonlogoff-user-on-particular-server-getwinevent-geteventlog?forum=winserverpowershell

    Export Windows event log and send report to IT administrators

    https://gallery.technet.microsoft.com/scriptcenter/Export-Windows-event-log-ecdfadfc

    Besides, for scripting question, in order to get better help, it's recommended that we ask for suggestions in the following scripting forum.

    The Official Scripting Guys Forum

    https://social.technet.microsoft.com/Forums/scriptcenter/en-US/home?forum=ITCG

    Best regards,

    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Thursday, June 04, 2015 9:19 AM
    Moderator
  • Hey Frank,

    The following links seem to all point to the same type of power shell script. I guess it would work, but not sure where to put in my server name, and the user I would like to run it on.

    Could you point that out for me?


    james luceros

    Wednesday, June 10, 2015 7:49 PM
  • Hi James,

    In the first link I provided, we can try to replace the computername withour server name. In the second link, we can run the script directly. However, we can try to change the event ID in the script to collect the events we want to. If we try to run the script via scheduler task, we should run the script as administrator. By default, standard users don't have access to security logs.

    Best regards,

    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    Friday, June 12, 2015 3:07 AM
    Moderator
  • Forgive my ignorance! Totally new to Powershell.

    Here is a copy of the first link:

    On line three I see " Computer name" do I simply place MY server name here? Do I need to change all "computer name" to my server name? Do I need to remove anything else:

    Also, Where do I add the username to search for?

    function get-logonhistory{
    Param (
     [string]$Computer = (Read-Host Remote computer name),
     [int]$Days = 10
     )
     cls
     $Result = @()
     Write-Host "Gathering Event Logs, this can take awhile..."
     $ELogs = Get-EventLog System -Source Microsoft-Windows-WinLogon -After (Get-Date).AddDays(-$Days) -ComputerName $Computer
     If ($ELogs)
     { Write-Host "Processing..."
     ForEach ($Log in $ELogs)
     { If ($Log.InstanceId -eq 7001)
       { $ET = "Logon"
       }
       ElseIf ($Log.InstanceId -eq 7002)
       { $ET = "Logoff"
       }
       Else
       { Continue
       }
       $Result += New-Object PSObject -Property @{
        Time = $Log.TimeWritten
        'Event Type' = $ET
        User = (New-Object System.Security.Principal.SecurityIdentifier $Log.ReplacementStrings[1]).Translate([System.Security.Principal.NTAccount])
       }
     }
     $Result | Select Time,"Event Type",User | Sort Time -Descending | Out-GridView
     Write-Host "Done."
     }
     Else
     { Write-Host "Problem with $Computer."
     Write-Host "If you see a 'Network Path not found' error, try starting the Remote Registry service on that computer."
     Write-Host "Or there are no logon/logoff events (XP requires auditing be turned on)"
     }
    }
    
    
    get-logonhistory -Computer "computername" -Days "time span like 30"


    james luceros

    Friday, June 12, 2015 3:37 AM
  • Hi James,

    >>On line three I see " Computer name" do I simply place MY server name here? Do I need to change all "computer name" to my server name?

    Yes, we need to replace all "computer name" with our server name.

    >>Where do I add the username to search for?

    It's recommended that we ask for suggestions in the following forum where offers dedicated help for PowerShell scripting questions.

    Windows PowerShell

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverpowershell

    Best regards,
    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    Thursday, June 18, 2015 8:24 AM
    Moderator