RE: [ActiveDir] (l)user login auditing

[Thijssen, Andries \(Cognizant\)]

Title: Message

Keep in mind that you won't be getting events for users who stay logged on to their workstations. I don't know whether unlocking your screen saver generates an event in the security log of the domain controller.   Regards,   Andries   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gideon Ashcraft Sent: 11 March 2005 04:56 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] (l)user login auditing This did the trick, I already ran it in my test group with the script piping into a backend database with a frontend setup for HR to run queries (I was getting errors on the logins if I had the database open). I would prefer to have it pipe into SQL though, but I’m new to vbs (I survived on batch scripting until now), what would be the calls to pass the data into a sql database as opposed to access? I could merge the data from the access database, but it would be much easier to pipe it straight into sql, and give hr a web interface.   Many thx,   Gideon Ashcraft   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Stelley, Douglas Sent: Wednesday, March 09, 2005 8:26 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] (l)user login auditing   I had to do a similar thing (in a 1000 user environment) so I created an MDB file (userlog.mdb) with a table (Transactions) that has fields(DateStamp, UserName, WorkStation,TransactionType) Then I wrote the following 2 scripts: which are run at logon and logoff. the resulting mdb will give a nice history going forward of logon/off times and workstation access. I could give them more, but they didn't ask... Doug   '{userlogon.vbs}   Set WSHNetwork = WScript.CreateObject("WScript.Network")   ' Get Current Users Information set shell = WScript.CreateObject( "WScript.Shell" ) username = shell.ExpandEnvironmentStrings("%USERNAME%") 'msgbox username clientmachine = shell.ExpandEnvironmentStrings("%CLIENTNAME%") 'msgbox clientmachine sessionname = shell.ExpandEnvironmentStrings("%SESSIONNAME%") 'msgbox sessionname server = shell.ExpandEnvironmentStrings("%COMPUTERNAME%") 'msgbox server   dim SQL, rs set conn=CreateObject("ADODB.Connection")  conn.Provider="Microsoft.Jet.OLEDB.4.0"  conn.Open "\\ntapps\pccommon\userlog\userLog.mdb"  set rs = createobject("ADODB.Recordset")  SQL = "insert into Transactions (DateStamp, UserName, WorkStation,TransactionType)" & " values (#" & NOW() & "#,'"& username & "','" & server  & "','LogOn')"       rs.Open SQL, conn  'rs.Close  conn.Close   '{userlogoff.vbs} Set WSHNetwork = WScript.CreateObject("WScript.Network")   ' Get Current Users Information set shell = WScript.CreateObject( "WScript.Shell" ) username = shell.ExpandEnvironmentStrings("%USERNAME%") 'msgbox username clientmachine = shell.ExpandEnvironmentStrings("%CLIENTNAME%") 'msgbox clientmachine sessionname = shell.ExpandEnvironmentStrings("%SESSIONNAME%") 'msgbox sessionname server = shell.ExpandEnvironmentStrings("%COMPUTERNAME%") 'msgbox server   dim SQL, rs set conn=CreateObject("ADODB.Connection")  conn.Provider="Microsoft.Jet.OLEDB.4.0"  conn.Open "\\ntapps\pccommon\userlog\userLog.mdb"  set rs = createobject("ADODB.Recordset")  SQL = "insert into Transactions (DateStamp, UserName, WorkStation,TransactionType)" & " values (#" & NOW() & "#,'"& username & "','" & server  & "','LogOff')"       rs.Open SQL, conn  'rs.Close  conn.Close       From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Jason B Sent: Wednesday, March 09, 2005 11:08 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] (l)user login auditing This is where Ed should chime in with his famous line - something to the extent of it being a bad idea to try to address/fix behavioral problems using technology.   I wish I had an answer for you, but would be curious to hear what others say about the situation. ----- Original Message ----- From: Gideon Ashcraft To: ActiveDir@mail.activedir.org Sent: Wednesday, March 09, 2005 8:28 AM Subject: [ActiveDir] (l)user login auditing   Some fool mentioned to our HR department that we can track our employee’s work routines by auditing the login events to our DC’s instead of their supervisors actually doing work and tracking the work habits of their charges. So now I need to present reports to our illustrious HR department in terms they can understand (pretty pictures and colors with all the details washed out so they can grasp the picture). I started by enabling login successes in the default DC policy and was overwhelmed by a flood of events from login attempts and the constant flood of logins (20,000 security events/day) from our LANutil inventory (don’t ever use PC-Duo) software (originally setup wrong by helpdesk staff and currently locking the accounts of anyone associated with that deployment (I’m letting them suffer for the moment because they did it without asking for Domain Admin support).   Currently I am using a 60 day trial of GFI’s SELM log monitor to archive events (until my UNIX admin has the time to learn enough PROLOG to get Tivoli to mine our logs, or I learn how to use the free MS Log Parser to mine our DC’s) and I did a test login and logout on a test user account (all events associated with that user were cleaned prior to testing) and I found that logging in created 28 mixed login and logout events (including 538, 540, 673 events) on login but only 1 540 logON event during logOFF and 2 538 logoff events 12 and 41 minutes after logging out!!!   What I would really like to do is tell HR to &[EMAIL PROTECTED] Themselves and tell the supervisors to do a better job tracking their employees and spend my valuable time tracking events for critical System and application events instead of babysitting the incompetents. But unfortunately the powers that be wish to appease the HR beast rather than put it in its place, so I have to clean up the flood of login events into a form that they can understand.   Does anyone recommend any software suited to this purpose or can does anyone know of a simple query of events to pinpoint domain activity?   Gideon Ashcraft Network Administrator Screen Actors Guild   Confidentiality Notice: The information contained in this message may be legally privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error please notify the author immediately by replying to this message and deleting the original message. Thank you. This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or copying of this email or any action taken in reliance on this e-mail is strictly prohibited and may be unlawful. Visit us at http://www.cognizant.com