Logon Script is here to stay …

A login script is a set of instructions that are executed on the client computer when a user logs on. There are two ways to set up a Logon script. The first way is to type it in on the “Profile” tab of the user properties dialog in the Active Directory Users and Computers (ADUC), and the second way is to use Group Policy Objects (GPOs) to assign your logon script.

Why would someone choose one method over another?

You have to use ADUC if you have client computers with Windows OS older than Windows 2000. GPOs are not applied on the client computers with these operating systems. With clients that run at least Windows 2000, you have GPOs as an additional option. But if all of your clients have Windows 7, and your servers are running Windows Server 2008 R2, the above question does not constitute a dilemma. You know for sure that Group Policy Objects and the newer Group Policy Preferences (GPP) extensions offer the best possible solutions. Now we can change the question and ask:

Do we need a logon script?

Answer:       a) Yes

                      b) No

                      c) All the above

There is no an easy answer to this question. Microsoft does not provide an “official guidance” on whether we should keep using GPOs to perform most of the legacy configuration tasks that were previously performed exclusively by logon scripts. The answer should be founded on the organization´s needs, its size and complexity, as well as the experience and technical competence of the network administrators.

For now the good balanced answer to the question above would be that logon scripts should be used to handle those tasks that can’t be done with GPOs. Use the following as a general rule: to deploy or push a configuration change – apply GPOs or GPP; and use the exception to this rule: to collect information from client computers and servers – apply scripts.

What would be a good example of an exception to the general rule that would justify using logon/logoff script?

The good candidate would be a script that tracks user´s logon/logoff. To view the article with an example on the Microsoft site please follow this link: http://support.microsoft.com/kb/556015.

Here I will show you my example of a logon and a logoff script created with PowerShell to help you create a monthly  rolling log file which contains information when and where each user Logs On and Logs Off.

The first one is the logon script:

# Filename: LogOnScript.ps1
# Date:           April 30, 2012
# Author:   Alex Dujakovic
# Description: Logon script to collect user Logs On
# **************************************************************
$ErrorActionPreference = "SilentlyContinue"
$strName = $env:username
$strComputerName = $env:ComputerName
$strTime = Get-Date -Format "t"
$strDate = Get-Date -format "yyyy-MM-dd"
$strFile = Get-Date -format "yyyy-MM"
$strFileName = "\\ServerName\LoginAndOutFiles$\"
# **************************************************************
$strFileName += [string]$strFile + ".txt"
$strDate + "," + $strTime + "," + $strName + "," + $strComputerName + "," + "Logon" | Out-File $strFileName -append -Encoding ASCII

And the second one is the logoff script:

# Filename: LogOffScript.ps1
# Date:           April 30, 2012
# Author:   Alex Dujakovic
# Description: Logoff script to collect user Logs Off
# **************************************************************
$ErrorActionPreference = "SilentlyContinue"
$strName = $env:username
$strComputerName = $env:ComputerName
$strTime = Get-Date -Format "t"
$strDate = Get-Date -format "yyyy-MM-dd"
$strFile = Get-Date -format "yyyy-MM"
$strFileName = "\\ServerName\LoginAndOutFiles$\"
# **************************************************************
$strFileName += [string]$strFile + ".txt"
$strDate + "," + $strTime + "," + $strName + "," + $strComputerName + "," + "Logoff" | Out-File $strFileName -append -Encoding ASCII

These scripts should be specified in a Group Policy. Logon and Logoff scripts run with the permissions of the user. The group “Domain Users” can be given permission to write to the LoginAndOutFiles$ share folder that has the log files. The rolling log file name is created in the following format: YYYY-MM.txt.  When I browse the content of the LoginAndOutFiles$ share folder, I can see the list of log files created for each month of the current year as shown in the picture below.

LogInAndLogOutFiles

A monthly rolling log file with name 2012-11.txt will look like this:

2012-11-12,11:28 AM,Alex,Halifax-01,Login
2012-11-12,11:31 AM,Alex,Dartmouth-02,Login
2012-11-12,11:32 AM,Alex,Halifax-01,Logoff
2012-11-12,3:30 PM,David,Bedford-03,Logoff
2012-11-12,3:31 PM,Alex,Bedford-03,Login
2012-11-12,3:33 PM,John,Dartmouth-04,Login
2012-11-12,3:38 PM,Alex,Bedford-03,Logoff

Here I will provide another PowerShell script, named Get-LogFileInfo.ps1 which will help you analyze the log files. With this script you will be able to search the log files and retrieve information based on computer and/or user name.

<#
.SYNOPSIS
Retrieves information from the log file that contains information of user(s) logon and logoff activity.
.DESCRIPTION
Get-LogFileInfo reads the log file specified and uses hash table to retrieve information from the
users logon and logoff activity on computers in a domain. The result is a table that dispalys
date/time, computer name, user name and action: logon/logoff.
.PARAMETER computer
The computer name, for which we want to dispaly logon and logoff activity.
.PARAMETER logfile
This is a mandatory parameter. You have to type the path and the name of the log file
that contains information of user's logon and logoff activity.
.PARAMETER user
The user name, for whom we want to display logon and logoff activity.
.EXAMPLE
Get-LogFileInfo -logname.txt
Assuming logname.txt contains logon/logoff information, this example dispalys the content of the log file.
.EXAMPLE
Get-LogFileInfo -logname.txt -computer "Halifax-01"
This example retrieves information from the log file for a computer named Halifax-01.
.EXAMPLE
Get-LogFileInfo -logname.txt -user "Smith"
This example retrieves information from the log file for a user named Smith.
.EXAMPLE
Get-LogFileInfo -logname.txt -computer "Halifax-01" -user "Smith"
This example retrieves information from the log file for a computer named Halifax-01 and a user named Smith.
#>
[CmdletBinding()]
	Param
        (
            [parameter(Mandatory=$True)]
            [String]
            $logfile,

            [parameter(Mandatory=$False)]
            [String]
            $computer,

            [parameter(Mandatory=$False)]
            [String]
            $user
        )
$obj = New-Object -TypeName PSObject
Get-Content -Path $logfile |
ForEach-Object {
                 $obj| Add-Member -Force -MemberType Noteproperty -Name "LogDate" -Value $_.Split(",")[0]
                 $obj| Add-Member -Force -MemberType Noteproperty -Name "LogTime" -Value $_.Split(",")[1]
                 $obj| Add-Member -Force -MemberType Noteproperty -Name "UserName" -Value $_.Split(",")[2]
                 $obj| Add-Member -Force -MemberType Noteproperty -Name "PCName" -Value $_.Split(",")[3]
                 $obj| Add-Member -Force -MemberType Noteproperty -Name "Action" -Value $_.Split(",")[4]

                 if(($computer -ne "") -and ($user -ne "")){
                        Write-Output $obj | Where-Object {(($_.PCName.Trim() -eq "$computer") -and ($_.UserName.Trim() -eq "$user"))}
                        }
                 elseif($user -ne ""){
                        Write-Output $obj | Where-Object {$_.UserName.Trim() -eq "$user"}
                        }
                 elseif($computer -ne ""){
                        Write-Output $obj | Where-Object {$_.PCName.Trim() -eq "$computer"}
                        }
                 else{
                        Write-Output $obj
                     }
                } |
Format-Table LogDate, LogTime, PcName, UserName, Action -auto

The first example displays the content of the log file:
 The second example shows all log on and log off information for a user with name Alex:

The third example shows log on/log off activity on a computer with name Halifax-01:

And the last example dilsplays the result of our combianed search by computer/user name:

Please note that you do not need to use a PowerShell script to analyze the log files. Some times all that is needed is the following line typed into PowerShell console:

Select-String -Path ‘H:\ServerName\LogInAndOutFiles$\2012*.txt’ -Pattern “Alex”

The line above uses Select-String cmdlet to search all the log files contained in the folder named “LoginAndOutFiles$” and with the parameter “-Pattern” I’ve specified the text to find (“Alex”) in my monthly rolling log file. By default, this cmdlet finds the first match in each line and for each match, it displays the file name, line number and all the text in the line containing the match.

I hope that these scripts will encourage you to implement them in your organization and help you tackle tracking Logon / Logoff activity in your AD environment, which is somewhat a cumbersome process to do without the scripts.

Please read my post with title: PowerShell ADAssist Tool, where I present an application I use to harness stats data produced by logon/logoff scripts created with PowerShell.

 




 

Please note: Although the author has made every reasonable attempt to achieve complete accuracy of the content, he assumes no responsibility for errors or omissions. Also, you should use this information as you see fit, and at your own risk.

 

7 thoughts on “Logon Script is here to stay …

  1. chris

    hi there…With the tracking script is it possible to search for a range of PCs?

    Example i want to find out about the computers in a certain building that are perhaps named BuildingA01, 02, 03 etc so i’d want to search for BuildingA

    Reply
    1. admin Post author

      If the location of the computers is very important, than you should make sure that each computer object in Active Directory has a value set for a location (or description) attribute. For example: Building 01, Room 111. If you want to use it in a logon script, my suggestion would be to change your computers’ naming convention and use the following computer name for a laptop: LP-Bldg01-0001, where (P) stands for Physical, (V) virtual and (T) for thin client.

      Reply
  2. chris

    HI there

    We currently have our machines named as example COLB103STF01

    the “COL” represents the Building, The “B” is the floor “103” is the office number “STF” is Staff machine “01” is machine number. What id like to be able to is use the .\get-logfileinfo.ps1 to be able to just show me perhaps all the activitive in COLB* so that it would simply show all machines in that building? or perhaps search for COLB103STF*

    Reply
    1. admin Post author

      Chris,
      Just use Select-String and point to your log files, for example:
      Select-String -Path ‘\\ServerName\SareName\LogFiles$\2014*.txt’ -Pattern “COLB103*”
      By using the above command, you can extract info about any computer/user or a group of computers/users. Notice the asterisk in 2014*.txt to search through all you log files created in 2014, or just specify 2014-10.txt for Oct 2014.
      Cheers.

      Reply
  3. Pingback: to track user logon/logoff | Yogesh

Leave a Reply

Your email address will not be published. Required fields are marked *