none
VB Script AD Logon and Logoff RRS feed

  • Question

  • Hi,

    I have seen various scripts on AD logon and logoff. But my requirement is only to get the output only as below;

    EmpCode,Transaction Date,Transaction Time
    EMPNO,YYYYMMDD,HHMM

    can anyone help me with the script?

    I appreciate your help.

    Thanks.

    Wednesday, September 24, 2014 6:06 AM

Answers

  • Jinagouda,

    First, a logon script cannot determine the logoff time, even of the previous user session. AD has a lastLogoff attribute, but it is not used. It is never assigned a value by the system. To retrieve both logon and logoff times, you need to have a logon script and a logoff script specified in a Group Policy. These scripts can simply log the current time to your shared file.

    Second, we don't yet know what you mean by "EMP NO". I was thinking you might mean the value of the employeeID attribute, or even the employeeNumber attribute, but I could be wrong. These attributes are not displayed in ADUC (except on the Attribute Editor tab), but you may have assigned values in AD for all of your users. If so, the script must bind to the user object in AD to retrieve the value. The script I posted above does this.

    If instead you mean the logon ID or username, you probably want the value of the sAMAccountName attribute of the user. This is labeled the "pre-Windows 2000 logon name" in ADUC. But you don't even need to retrieve this from AD. You can instead use the wshNetwork object to retrieve the UserName property, which is identical to the sAMAccountName in AD. My script above does this, and assigns the value to the strUserName attribute. However, my script does not output this value to the log file, since I thought you wanted the value of the employeeID attribute in AD instead.

    If you want logon and logoff scripts to log the logon and logoff times for users in the same log file, you should add a field to each line indicating whether the event is a logon or a logoff. For example, assuming you want the user logon name (instead of employeeID), the logon script could use the following line to write values to the log file:

    objLogFile.WriteLine "Logon," & strUserName & "," & Date() & "," & Time()

    -----

    The logoff script could be identical, except the WriteLine command would output "Logoff," instead of "Logon,".

    If the user logon name (value of sAMAccountName) is what you want, you skip VBScript and simply use a batch file. The exact same log file could be maintained using the following batch file as the logon script:

    @echo off
    echo Logon,%UserName%,%date%,%time% >> \\MyServer\LogFileShare\Domain.log

    -----

    Again, the logoff script would be the same, except replace "Logon" with "Logoff". This batch file solution is much simpler. You can test it yourself from a command line prompt.


    Richard Mueller - MVP Directory Services

    Thursday, September 25, 2014 2:26 PM
    Moderator

All replies

  • Hi,

    It is possible through script

    But we need to save the file on common location to write the required information through script.

    Pleases confirm what you mean EmpCode,Transaction Date,Transaction Time ?

    Regards,

    Mariappan S

    Wednesday, September 24, 2014 6:17 AM
  • Hi,

    I have seen various scripts on AD logon and logoff. But my requirement is only to get the output only as below;

    EmpCode,Transaction Date,Transaction Time
    EMPNO,YYYYMMDD,HHMM

    can anyone help me with the script?

    I appreciate your help.

    Thanks.

    It is not possible to know what you are asking about. What transactions are you asking about. This is not part of AD. Is it possible you are asking about a database?

    You also need to describe what system you are running from.

    Note that this is not an end user help desk forum but is a tech admin scripting forum.


    ¯\_(ツ)_/¯

    Wednesday, September 24, 2014 2:16 PM
  • Based on the post you made in the other thread, I might make a guess. Either you want the "pre-Windows 2000 logon name" of the user, or perhaps you want the value of the employeeID attribute of the user in AD. In any case, the other thread is very old and way to long to analyze, and the code too complex for me. Also, the person that answered it is no longer very active.

    I have used several similar logon scripts for many years. This example logs employeeID, date, and time to a shared log file:

    Option Explicit

    Dim objFSO, objLogFile, objNetwork, objShell, strText, intAns
    Dim intConstants, intTimeout, strTitle, intCount, blnLog
    Dim strUserName, strComputerName, strShare, strLogFile
    Dim objSysinfo, strUserDN, objUser, strUserID

    strShare = "\\MyServer\LogFileShare"
    strLogFile = "Domain.log"
    intTimeout = 20

    Set objFSO = CreateObject("Scripting.FileSystemObject")
    Set objNetwork = CreateObject("Wscript.Network")
    Set objShell = CreateObject("Wscript.Shell")

    Set objSysInfo = CreateObject("ADSystemInfo")
    strUserDN = objSysInfo.userName

    ' Escape any forward slash characters, "/", with the backslash
    ' escape character. All other characters that should be escaped are.
    strUserDN = Replace(strUserDN, "/", "\/")

    ' Bind to the user object with the LDAP provider.
    Set objUser = GetObject("LDAP://" & strUserDN)

    strUserName = objNetwork.UserName
    ' strComputerName = objNetwork.ComputerName
    strUserID = objUser.employeeID

    ' Log date/time, user name, and user ID.
    If (objFSO.FolderExists(strShare) = True) Then
        On Error Resume Next
        Set objLogFile = objFSO.OpenTextFile(strShare & "\" _
            & strLogFile, 8, True, 0)
        If (Err.Number = 0) Then
            ' Make three attempts to write to log file.
            intCount = 1
            blnLog = False
            Do Until intCount = 3
                objLogFile.WriteLine strUserID & "," & Date() & "," & Time()
                If (Err.Number = 0) Then
                    intCount = 3
                    blnLog = True
                Else
                    Err.Clear
                    intCount = intCount + 1
                    If (Wscript.Version > 5) Then
                        Wscript.Sleep 200
                    End If
                End If
            Loop
            On Error GoTo 0
            If (blnLog = False) Then
                strTitle = "Logon Error"
                strText = "Log cannot be written."
                strText = strText & vbCrlf _
                    & "Another process may have log file open."
                intConstants = vbOKOnly + vbExclamation
                intAns = objShell.Popup(strText, intTimeout, strTitle, _
                    intConstants)
            End If
            objLogFile.Close
        Else
            On Error GoTo 0
            strTitle = "Logon Error"
            strText = "Log cannot be written."
            strText = strText & vbCrLf & "User may not have permissions,"
            strText = strText & vbCrLf & "or log folder may not be shared."
            intConstants = vbOKOnly + vbExclamation
            intAns = objShell.Popup(strText, intTimeout, strTitle, intConstants)
        End If
    Else
        On Error GoTo 0
        strTitle = "Logon Error"
        strText = "Log cannot be written."
        strText = strText & vbCrLf & "User may not have permissions,"
        strText = strText & vbCrLf & "or log folder may not be shared."
        intConstants = vbOKOnly + vbExclamation
        intAns = objShell.Popup(strText, intTimeout, strTitle, intConstants)
    End If

    -----

    You can add strComputerName if you want to log the name of the local computer. This version logs the employeeID attribute of the user in AD. If you want "pre-Windows 2000 logon name" instead, change strUserID to strUserName (and you don't need to bind objSysInfo or objUser,  or retrieve strUserDN or strUserID).


    Richard Mueller - MVP Directory Services


    Wednesday, September 24, 2014 3:08 PM
    Moderator
  • Hi,

    Oh My bad.

    In the above post, i meant the logon and logoff time.

    regards,

    Jawad Shaikh

    Thursday, September 25, 2014 5:30 AM
  • Hi richard,

    Appreciate your help.

    let me give you some more download.

    I have seen lot of logon and logoff scripts. they all give you lot of entries in the output file.

    I just wanted to capture EMP NO, Date (YYMMDD), Time (HHMM)

    hence, requesting your help.

    Thanks for your help.

    Regards,

    Jawad Shaikh

    Thursday, September 25, 2014 5:32 AM
  • Hi richard,

    Appreciate your help.

    let me give you some more download.

    I have seen lot of logon and logoff scripts. they all give you lot of entries in the output file.

    I just wanted to capture EMP NO, Date (YYMMDD), Time (HHMM)

    hence, requesting your help.

    Thanks for your help.

    Regards,

    Jawad Shaikh

    Feel free to modify any of these scripts to you needs.  We do not customize scripts on request.  We can help to answer questions about issues you may have with your script.

    Here is a good place to start: http://technet.microsoft.com/en-us/scriptcenter/dd793612.aspx


    ¯\_(ツ)_/¯

    Thursday, September 25, 2014 1:25 PM
  • Jinagouda,

    First, a logon script cannot determine the logoff time, even of the previous user session. AD has a lastLogoff attribute, but it is not used. It is never assigned a value by the system. To retrieve both logon and logoff times, you need to have a logon script and a logoff script specified in a Group Policy. These scripts can simply log the current time to your shared file.

    Second, we don't yet know what you mean by "EMP NO". I was thinking you might mean the value of the employeeID attribute, or even the employeeNumber attribute, but I could be wrong. These attributes are not displayed in ADUC (except on the Attribute Editor tab), but you may have assigned values in AD for all of your users. If so, the script must bind to the user object in AD to retrieve the value. The script I posted above does this.

    If instead you mean the logon ID or username, you probably want the value of the sAMAccountName attribute of the user. This is labeled the "pre-Windows 2000 logon name" in ADUC. But you don't even need to retrieve this from AD. You can instead use the wshNetwork object to retrieve the UserName property, which is identical to the sAMAccountName in AD. My script above does this, and assigns the value to the strUserName attribute. However, my script does not output this value to the log file, since I thought you wanted the value of the employeeID attribute in AD instead.

    If you want logon and logoff scripts to log the logon and logoff times for users in the same log file, you should add a field to each line indicating whether the event is a logon or a logoff. For example, assuming you want the user logon name (instead of employeeID), the logon script could use the following line to write values to the log file:

    objLogFile.WriteLine "Logon," & strUserName & "," & Date() & "," & Time()

    -----

    The logoff script could be identical, except the WriteLine command would output "Logoff," instead of "Logon,".

    If the user logon name (value of sAMAccountName) is what you want, you skip VBScript and simply use a batch file. The exact same log file could be maintained using the following batch file as the logon script:

    @echo off
    echo Logon,%UserName%,%date%,%time% >> \\MyServer\LogFileShare\Domain.log

    -----

    Again, the logoff script would be the same, except replace "Logon" with "Logoff". This batch file solution is much simpler. You can test it yourself from a command line prompt.


    Richard Mueller - MVP Directory Services

    Thursday, September 25, 2014 2:26 PM
    Moderator
  • Hi Richard,

    I appreciate your help. Yes, EMP NO refers to CN or Samaccount name of the user in AD.

    I do have a batch file with me. But i need a Vbscript which i can deploy using GPO.

    Nevertheless, Many Thanks for your help.

    Regards,

    Jawad Shaikh

    Friday, September 26, 2014 5:44 AM