Auditing users logoff times??

Hi all,

I am trying to set-up a rule in group policy that allows me to check what time users are loggin off at night, but am having troule doing so.

For some reason all it keeps doing is showing failure audit attempts, even when success is ticked. At the present time i am just going around in circles.

Could someone please give me some suggestions as to where i apply the policy and what rule i should be using.

It has been suggested that it is done at "account logon events", but if thats the case do i need to turn off some of the other policies.

Like i said all i want to do is monitor our users to see which ones are loggin off late at night. On top of this is there a way to get the information of these users into some sort of spreadsheet or database.

If it works, it would seem like a lot of work to have to go through the event viewer and sift trough hundreds of events to look at times.

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

eurotrash

You can try either Audit account logon events or Audit logon events or both. Try configuring it in the default domain policy. And no, you don't need to turn off other policies for whatever reason

You can use the filter in event viewer to sort through the entries, and/or you can export the file as comma delimited or tab delimited, which are made for importing into spreadsheet or whatever programs.

woodworm

If you Audit Logon Events you should get an event 538 (type 2) message in the security log (you may want to search the MS Technet site for details of this as there are different 538 events).

On a side note, MS has a really usefull little tool for searching event logs on multiple machines called EventCombMT (it can save the results as an .mdb or .csv file) and it's a part of the Account Lockout Tools found here

http://www.microsoft.com/downloads/details.aspx?FamilyID=7af2e69c-91f3-4e63-8629-b999adde0b9e&DisplayLang=en

Sorry for the long linky, I can't remember how to shorten it!

sprkymrk

You can use GP to set a script that runs at logoff as well as logon. Set up a hidden share with write/list (no read necessary) access to authorized users and run this as a logoff script:

:INFOLOG
ECHO %USERNAME% HAS LOGGED OFF %COMPUTERNAME% >> \\SERVER\MISC_LOGS$\%COMPUTERNAME%.TXT
TIME /T >> \\SERVER\MISC_LOGS$\%COMPUTERNAME%.TXT
DATE /t >> \\SERVER\MISC_LOGS$\%COMPUTERNAME%.TXT
ECHO. >> \\SERVER\MISC_LOGS$\%COMPUTERNAME%.TXT
ECHO ====================================== >> \\SERVER\MISC_LOGS$\%COMPUTERNAME%.TXT
ECHO. >> \\SERVER\MISC_LOGS$\%COMPUTERNAME%.TXT

This way when a user logs off, it will send the username and logoff date/time to a text file on the server share named actualcomputername.txt. You can just check the name of the computer to see who logged off last and when. BTW - I use a similar script for logons as well. To find a specific user just search the share for a word or phrase in a file containing the username.

albanga

Thanks heaps sprkymrk.

That is absoulately awesome. It worked exactly like we were after. Just added a rule to check only times after 5pm so it doesn't fill up with unnecessary logoff events.

Really appreciate the effort!!

sprkymrk

albanga wrote:

Thanks heaps sprkymrk.

That is absoulately awesome. It worked exactly like we were after. Just added a rule to check only times after 5pm so it doesn't fill up with unnecessary logoff events.

Really appreciate the effort!!

Cool, your welcome.

My mom would be so proud of me!