0

I need to catch Win Srv 2012 domain users logon and logoff time (also if possible sleep and wake time) and insert that into an sql table to build report showing users working time. All workstations have Win 7 Pro and work locally (not through terminal services). Due to the number of workstations I'd prefer to have every script/policy on server.

Any help will be much appreciated.

Regards, Przemek

Przemyslaw Wojda
  • 115
  • 1
  • 1
  • 6
  • There is someting called audit in windows eventlog . Why you pre-require is script ? – YuKYuK Feb 19 '15 at 09:08
  • There is a software called UserLock, that does that and much more. Has central administration. Deploys agents on workstation. Makes nice reports. Can enforce various limits, like simultaneous logins. – Dan Feb 19 '15 at 09:12
  • @Dan: UserLock will be some solution but first I'd like to check domain / powershell possibilities. – Przemyslaw Wojda Feb 19 '15 at 09:30
  • @YukYuK: Could you please say a little bit more about the eventlog? How to catch logon/logoo/wake/sleep events and insert them into sql table? – Przemyslaw Wojda Feb 19 '15 at 09:32

2 Answers2

1

There is solution for your need :

1- use a hids software agent on client to log event to a server . Need install on client , config server , don't work outside without vpn etc . (Ossec or other siem/hids tools do the job)

2- use windows audit capability to centralize all events. This work without tools on client side . you just have to run script/gpo with configuration to send security log to a centralization server . Look this one : http://www.windowsecurity.com/articles-tutorials/authentication_and_encryption/Centralized-Auditing-here-FREE.html

After that you need some script to read audit log in centralized server and write to database .

There is tools like Nxlog ,Snare that do the job (read event log and format for a syslog ). And logstash can read syslog and write in a database (nosql database , or sql database) .

There is commercial software doing that too but its not the place to talk about that (google for commercial product).

YuKYuK
  • 627
  • 3
  • 14
  • Thanks YukYuk. I'd like to try with a task scheduler on DC that will trigger a powershell script. I've created a seperate question for that - http://serverfault.com/questions/670132/win-srv-2012-task-scheduler-trigger-based-on-domain-workstation-logon. – Przemyslaw Wojda Feb 20 '15 at 12:28
0

you can use Get-ADComputer

Get-ADComputer -identity <machineName> -Properties * | FT Name, LastLogonDate

machineName = target machine name

Madura Dissanayake
  • 89
  • 1
  • Yes, I found this option but I need something that will work as a trigger i.e. user logs on / off / sleeps / wakes script inserts a record into an sql table. – Przemyslaw Wojda Feb 19 '15 at 09:57
  • I think you can use the poweshell scrip to run the query and push the collected data in to database, the script should be run in Windows task Scheduler continuously in a proper manner. – Madura Dissanayake Feb 19 '15 at 10:06
  • Indeed but 1) how to catch the events from server not workstations with user names, datetime and event type 2) how to insert that into sql? – Przemyslaw Wojda Feb 19 '15 at 10:32