I have created a pair of scripts that log when a user logs on and off to workstaions on a domain.
A basic overview of how the system works is as follows:
- A share located on an Active Directory server
- A logon script
- A logoff script
- Group Policy to launch the scripts
Setting up the system:
- Create a directory called AUDIT on a server, as it will only be containing plain text making it a compressed folder is quite beneficial.
-
Create two folders within it, one called Computers and the other called Users. [fig.1]
-
Share this folder as Audit [fig.2]
-
Set the SHARE permissions as Everyone | Full Control [fig.3]
-
Set the NTFS permissions as: [fig.4]
-
Administrators | Full Control
-
CREATOR OWNER | Special Permissions [fig.5]
-
SYSTEM | Full Control
-
Users | Write
-
-
Compare your NTFS security with this CACLS output. If it is different check the above steps. [fig.6]
-
Edit Audit_Logon.bat and Audit_Logoff.bat to point to the newly created share on your server.
-
Set-up the GPO to run the scripts for Users when they logon and logoff respectively.
Sit back and watch the text files fill up with nicely audited information.
Great Tool however recently it seems that several SBS 2003 boxes I’ve implemented this on just stop performing the audits – GPO that logon and logoff .bat files are associated with are working fine however the auditing seems to just stop – CACLS audit of \\audit share looks great – any ideas?
Unsure, if you run the scripts manually do they audit?