Here's something i came up with to find when users are logging on and off of their machines. 

First we need to create a powershell script to find the actual info (i wish i wrote this, found it on the internet):

 

$UserProperty = @{n="User";e={(New-Object System.Security.Principal.SecurityIdentifier $_.ReplacementStrings[1]).Translate([System.Security.Principal.NTAccount])}}
$TypeProperty = @{n="Action";e={if($_.EventID -eq 7001) {"Logon"} else {"Logoff"}}}
$TimeProeprty = @{n="Time";e={$_.TimeGenerated}}
Get-EventLog System -Source Microsoft-Windows-Winlogon | select $UserProperty,$TypeProperty,$TimeProeprty

 

Save this as "get_logon_logoff.ps1"

Next create a new script in the K1000. 

Script type = Shell Script.

Upload the ps1 file as a dependency for the script.

Enter this for this script text.

 

IF NOT EXIST C:\windows\tvg (
mkdir c:\windows\tvg
)
powershell.exe -nologo -executionpolicy bypass -WindowStyle hidden -noprofile -file get_logon_logoff.ps1 > c:\windows\tvg\log.txt
 

Also make sure you change the script name from script.sh to script.bat.

 

 

 

Run this script on your test machine.

Next to actually see the information we'll create a custom inventory rule.

I called mine "Log on / Log off", but it doesn't really matter.

Whats important is the rule syntax:

ShellCommandTextReturn(cmd.exe /c type c:\windows\tvg\log.txt)


This is what it looks like when we're all done.


I hope this helps and you guys like it!


**post edit, in the script text there should only be one ">" instead of 2 (">>"). I corrected in the code but not the pic.