Looking up user logons. 1

[alewis17]

Hi, I am at a school setting and was wondering how to check when i certain person would logon.

Heres the scenario. We use a firewall/content filter to keep students from looking at bad websites, and when they try it, it logs the ip address and time. I thought I could go into event viewer and see who logged into that computer at the given time, but it doesn't always say. All it will say is the name of the local pc and not the name of the user that logged in. Do I need to turn something on? Any help will be appreciated.

 

[porkchopexpress]

It's very difficult to lookup this info as it is logged on the DC that authenticated the user, we use a script that is run at user logon and puts the station name, username, and time into an access DB. It works very well in a LAN environment but requires the station to have JET installed, as this is installed with MS office most stations have it.

On Error Resume Next

Dim adoCn
Dim adoRs
Dim network
Dim user
Dim compname
Dim strSQLInsert


Set network = CreateObject("Wscript.Network")
user = network.username
compname = network.computername

Set adoCn = CreateObject("ADODB.Connection")

adoCn.Open "Provider=Microsoft.Jet.OLEDB.4.0;" & _
           "Data Source=\\server\logs$\userinfo.mdb" 'CHANGE THIS BIT

'Check the connection opened ok           
If Err.Number <> 0 Then           
	Call ErrHandler
End If


strSQLInsert = "INSERT INTO [Log On] ([date], [time], [user], compname) " & _  
	"VALUES ('" & Date & "', '" & Time & "', '" & user & "', '" & compname & "')"

adoCn.Execute strSQLInsert, , 8

'Check the data was inserted OK
If Err.Number <> 0 Then           
	Call ErrHandler
End If

adoCn.Close

Set adoCn = Nothing
Set network = Nothing





Sub ErrHandler()
Dim fso, f

Const ForReading = 1, ForWriting = 2, ForAppending = 8

Set fso = CreateObject("Scripting.FileSystemObject")

Set f = fso.OpenTextFile("\\trigger\logs$\" & LogError & ".txt" , ForAppending, True)

f.WriteLine Date & ", " & Time & ", " & user & ", " & compname & ", " & Chr(34) & Err.Description & Chr(34)
f.Close

Set fso = nothing

Err.Clear

End Sub

 

[compuveg]

I couldn't read this thread without commenting that it is ridiculous that ADS is so poor for auditing events within it.

 

[acl03]

porkchop - where in the event log on each DC does it say which user is logging in? I am trying to verify that my sties/subnets are set up correctly, and that someone in a certain field office is hitting their DC, not the one in our central office...thanks.



Thanks,
Andrew

 

[compuveg]

You have to have the auditing policy setup to capture the events. Then it would be in the security event log.

 

[acl03]

I believe i do have it set up - i see tons of Account Logon, Logon/Logoff events - which ones are the actual user logons?



Thanks,
Andrew

 

[porkchopexpress]

Hi

The problem is that you can never tell which DC logged the user on so you have to check the evt log on all DC's to find the info. There is a tool provided by MS that will query this info but i can't remember what its called i'll post it when i do (something like log analizer).

or use a third party util

http://www.tools4ever.com/products/utilities/reallastlogon/

I think event id 678 is a user logon event, i'll double check that at work tomorrow.

 

[alewis17]

Thanks for the help,

We do not have MS Office installed on every workstation. We use StarOffice for financial reasons.

 

[porkchopexpress]

This might work as its the jet componant that handles it.

http://www.download.com/Microsoft-Jet-Database-Engine-3-5/3000-2114_4-4238277.html

 

[PPettit]

Look for Event ID 528 and 552. They show the username and remote IP address.

 

[acl03]

Cool - thanks...



Thanks,
Andrew