/build/static/layout/Breadcrumb_cap_w.png

HOW TO: Find User log On and Log Off Time

Here's something i came up with to find when users are logging on and off of their machines. 

First we need to create a powershell script to find the actual info (i wish i wrote this, found it on the internet):

 

$UserProperty = @{n="User";e={(New-Object System.Security.Principal.SecurityIdentifier $_.ReplacementStrings[1]).Translate([System.Security.Principal.NTAccount])}}
$TypeProperty = @{n="Action";e={if($_.EventID -eq 7001) {"Logon"} else {"Logoff"}}}
$TimeProeprty = @{n="Time";e={$_.TimeGenerated}}
Get-EventLog System -Source Microsoft-Windows-Winlogon | select $UserProperty,$TypeProperty,$TimeProeprty

 

Save this as "get_logon_logoff.ps1"

Next create a new script in the K1000. 

Script type = Shell Script.

Upload the ps1 file as a dependency for the script.

Enter this for this script text.

 

IF NOT EXIST C:\windows\tvg (
mkdir c:\windows\tvg
)
powershell.exe -nologo -executionpolicy bypass -WindowStyle hidden -noprofile -file get_logon_logoff.ps1 > c:\windows\tvg\log.txt
 

Also make sure you change the script name from script.sh to script.bat.

 

 

 

Run this script on your test machine.

Next to actually see the information we'll create a custom inventory rule.

I called mine "Log on / Log off", but it doesn't really matter.

Whats important is the rule syntax:

ShellCommandTextReturn(cmd.exe /c type c:\windows\tvg\log.txt)


This is what it looks like when we're all done.


I hope this helps and you guys like it!


**post edit, in the script text there should only be one ">" instead of 2 (">>"). I corrected in the code but not the pic.



Comments

  • This is awesome. My only question would be how long would this list get?
    Also, is there a better way to prevent the CMD screen from flashing? I know some users that would notice this right away. - dugullett 11 years ago
    • You could limit the number of days being returned. Try adding this to the top of your powershell script. For example last 45 days.

      $d = [DateTime]::Today.AddDays(-45);

      Then change the last line to something like this:
      Get-EventLog System -Source Microsoft-Windows-Winlogon -After $d

      As for hiding the Window, nothing i've found yet.... If anybody has any ideas that would be much appreciated. - dchristian 11 years ago
      • You could use a batch to exe converter. Convert the batch file to an exe and choose to hide the window. Switch script type to a kscript and add the exe as a dependency. Edit the script so the verification always fails and launch the exe as remediation.
        I use this
        http://www.f2ko.de/programs.php?lang=en&pid=b2e - andibogard 11 years ago
      • Nice tip andibogard, Imma check it out! - dchristian 11 years ago
  • I don't remember how to do custom inventory rules. Can you help me with that? - ohiosoundguy 11 years ago
  • Inventory>Software>Choose Action>Add New Item

    Display Name = "Whatever"

    Be sure to select the supported operating systems.

    In this case he used "ShellCommandTextReturn(cmd.exe /c type c:\windows\tvg\log.txt)" under custom inventory rule. This will get the output of the text file and output to the custom fields under your computer inventory. After an inventory update.

    It can also be used for registry entries. It comes in handy when reporting. - dugullett 11 years ago
  • Thanks. I will try it tomorrow. - ohiosoundguy 11 years ago
  • Thanks for the post. I think I am all set now. - ohiosoundguy 11 years ago
  • Ok just a few questions so I can comprehend how this is working.
    In the script configuration,
    Do you Run as local system?
    Do you Schedule it to run? - ohiosoundguy 11 years ago
    • I have mine running as local system. I have it set to run every six hours. I guess more to keep it updated. - dugullett 11 years ago
      • It will not show until an inventory of the machine is done. You can check the output by going to c:\windows\tvg\log.txt. (If you left it going to that path) I have a default path for all of my custom inventory items. - dugullett 11 years ago
  • Thanks. Tested and deployed. I am interested to see how well this works. - ohiosoundguy 11 years ago
  • thanks guys this is Awesome stuff

    tested and it works - burtono 10 years ago
  • How large does the log file get and how many days does this log keep? - aquiles 7 years ago
  • Huge help! Still works - JPFlory 6 years ago
This post is locked
 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ