Have every machine write the data locally to a hidden folder, then send the data to a central file share.
This logonscript actually has an example of that: http://www.ultratech-llc.com/KB/Scripts/?File=LogOn.BAT -ASB FAST, CHEAP, SECURE: Pick Any TWO http://www.ultratech-llc.com/KB/ On Thu, 3 Feb 2005 15:44:39 -0700, Carstensen, Pete <[EMAIL PROTECTED]> wrote: > Put what in there? > > I suspect you are thinking adding a flag record or something to an audit > text file. We have 6 DC's in 4 locations. To save crossing over, it > would have to parse the netlogon DC and point the flag record append to > a specific directory there. I can see several problems with that. Is > there a simpler way? > > ***************************** > Pete Carstensen, MCSE > Senior LAN Engineer > CSK Auto, Inc. > 645 E. Missouri Ave. > Phoenix, AZ 85012 > (602) 631-7176 > [EMAIL PROTECTED] > > "So many of our dreams at first seem impossible, then they seem > improbable, and then, > when we summon the will, they soon become inevitable." -- Christopher > Reeve > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of ASB > Sent: Thursday, February 03, 2005 3:26 PM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] Login/Logoff > > Put it in the Logon and LogOff Scripts... > > -ASB > FAST, CHEAP, SECURE: Pick Any TWO > http://www.ultratech-llc.com/KB/ > > On Thu, 3 Feb 2005 15:13:35 -0700, Carstensen, Pete > <[EMAIL PROTECTED]> wrote: > > > > > > In trying to track user activity, I am parsing the security logs using > > EventCombMT. It finds the 538/540 events just fine but the problem is > that > > it finds far too many. I am seeing groups of consecutive logon > events, > > which I presume is attachments to network resources, but then I > immediately > > see logoff events too. Perhaps an hour goes by and more of these > occur. In > > fact, it occurs throughout the day. > > > > I suspect that perhaps the first in the series is the user logging on > > > > Then more occur with resource connection (mapped drives, printers, > etc. > > > > Some of those log out. > > > > Further login/logoff events occur as resources are requested during > the day. > > > > Final logoff for the day is the actual user doing so. > > > > Q: If the above is a correct assessment of the situation, is there a > better > > event id or filter to see the actual user netlogon timing rather than > > resource attachment? > > > > > > > > ***************************** > > Pete Carstensen List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
