Audit User Logon and Logoff

Posted August 25th, 2008 by Matt Shadbolt

A quick and easy way to audit your users login times (and some other details) is by using this simple login script method.
Firstly, you need to build two .BAT file scripts and save them to some sort of Audit share on a server. (I suggest hiding the share with the $ so users can’t easily access the share).
You need to give all users write permissions to the directory as they will be running a script and updating a file.

logoffAuditScript.BAT

echo —- Logoff —- %username%, %computername%, %date%, %time% >>\\SERVERNAME\audit$\logoffAudit.txt

logonAuditScript.BAT

echo —- Logon —- %username%, %computername%, %date%, %time% >>\\SERVERNAME\audit$\logonAudit.txt

You need to add the logonAuditScript.BAT to the login scripts settings in Group Policy and obviously the logoffAuditScript.BAT to the logout scripts setting.

Basically all these batch files do is write a single line with the username, computer name, date and time to the .txt files specified in the script.
You can then open the text files with Excel and find out when your staff are logging in and out.

There are a lot more extensive audit login scripts available out there – however I found this a quick and easy option that satisfies my simple audit needs. The major draw back of this audit method is that it only runs when users login and logout… if users stay logged in for long periods of time nothing is logged. You can use Logon Hours within AD to force users to logout if necessary.

Tags: , , , , ,

7 Responses
Filed under:Active Direcotry, Audit, Group Policy, logoff, logon

7 Responses to “Audit User Logon and Logoff”

  • Recent Faves Tagged With "logon" : MyNetFaves Says:
    September 8th, 2008 at 10:35 am

    [...] public links >> logon Audit User Logon First saved by CuriousEye | 1 days [...]

  • Richard Says:
    October 7th, 2008 at 3:38 am

    Awesome stuff, so simple. How do I go about adding the IP Addresses to that batch file?

  • mattshadbolt Says:
    October 7th, 2008 at 3:52 am

    Very simple :)

    There isn’t a variable for the IP like the username and computername – however I don’t know why you would? If you’ve got the computer name you don’t need the IP – especially if the IP is changing due to DHCP.

  • RYErnest Says:
    December 1st, 2008 at 12:10 am

    Nice post u have here :D Added to my RSS reader

  • Your Reader Says:
    January 28th, 2009 at 4:30 pm

    Wow! Thank you!
    I always wanted to write in my site something like that. Can I take part of your post to my site?
    Of course, I will add backlink?

    Sincerely, Your Reader

  • mattshadbolt Says:
    February 2nd, 2009 at 11:35 am

    sure – as long as you credit me :)

  • Rav Says:
    May 21st, 2011 at 6:56 pm

    Hi Matt,

    Im new to the AD and VMWARE , but i really love this stuff ……..I want to master the Administration of both AD and VMware through powershell…I have started refering your blog daily and able to understand few things on this….I have alsao learnt the basics of powershell….but not able to apply that with the AD and VM ware administration……As I see you people are the masters of this stuff…please help me on this…..

    especially the template stuff….i dont understand what that means…..also please help me how do i administer the AD the commandlets that can be used…….

    Please help me ………..

Leave a Reply