We use login/off scripts that record to a DB. The problem with DC logs
is that they don't actually record logoffs (because you don't
authenticate when logging off). There are some products out there that
will do this, but they are expensive so we went with scripts. Note that
if you use a licensing management software like Keyserver, you can get
the logon/off info you need.
Paul Wilkinson
865-974-0649
2422 Dunford Hall
OIT Lab Services
University of TN, Knoxville
Gideon Ashcraft wrote:
Some fool mentioned to our HR department that we can track our employee's
work routines by auditing the login events to our DC's instead of their
supervisors actually doing work and tracking the work habits of their
charges. So now I need to present reports to our illustrious HR department
in terms they can understand (pretty pictures and colors with all the
details washed out so they can grasp the picture). I started by enabling
login successes in the default DC policy and was overwhelmed by a flood of
events from login attempts and the constant flood of logins (20,000 security
events/day) from our LANutil inventory (don't ever use PC-Duo) software
(originally setup wrong by helpdesk staff and currently locking the accounts
of anyone associated with that deployment (I'm letting them suffer for the
moment because they did it without asking for Domain Admin support).
Currently I am using a 60 day trial of GFI's SELM log monitor to archive
events (until my UNIX admin has the time to learn enough PROLOG to get
Tivoli to mine our logs, or I learn how to use the free MS Log Parser to
mine our DC's) and I did a test login and logout on a test user account (all
events associated with that user were cleaned prior to testing) and I found
that logging in created 28 mixed login and logout events (including 538,
540, 673 events) on login but only 1 540 logON event during logOFF and 2 538
logoff events 12 and 41 minutes after logging out!!!
What I would really like to do is tell HR to &[EMAIL PROTECTED] Themselves and
tell the
supervisors to do a better job tracking their employees and spend my
valuable time tracking events for critical System and application events
instead of babysitting the incompetents. But unfortunately the powers that
be wish to appease the HR beast rather than put it in its place, so I have
to clean up the flood of login events into a form that they can understand.
Does anyone recommend any software suited to this purpose or can does anyone
know of a simple query of events to pinpoint domain activity?
Gideon Ashcraft
Network Administrator
Screen Actors Guild
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
