I have also seen some fun examples that send an email message on logon and logoff to a special account and then a perl script harvests the emails and throws them into a database.
One company I worked for did this for automated server builds too. The script would email the build logs when the server was finished with the build process. That info was saved as it helped let you know exactly how a server was built and was an alarm to let you know it was done so you could go do whatever you needed to it. It was quite a bright idea to do it. Genius in its simplicity. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ASB Sent: Thursday, February 03, 2005 5:56 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Login/Logoff Have every machine write the data locally to a hidden folder, then send the data to a central file share. This logonscript actually has an example of that: http://www.ultratech-llc.com/KB/Scripts/?File=LogOn.BAT -ASB FAST, CHEAP, SECURE: Pick Any TWO http://www.ultratech-llc.com/KB/ On Thu, 3 Feb 2005 15:44:39 -0700, Carstensen, Pete <[EMAIL PROTECTED]> wrote: > Put what in there? > > I suspect you are thinking adding a flag record or something to an > audit text file. We have 6 DC's in 4 locations. To save crossing > over, it would have to parse the netlogon DC and point the flag record > append to a specific directory there. I can see several problems with > that. Is there a simpler way? > > ***************************** > Pete Carstensen, MCSE > Senior LAN Engineer > CSK Auto, Inc. > 645 E. Missouri Ave. > Phoenix, AZ 85012 > (602) 631-7176 > [EMAIL PROTECTED] > > "So many of our dreams at first seem impossible, then they seem > improbable, and then, when we summon the will, they soon become > inevitable." -- Christopher Reeve > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of ASB > Sent: Thursday, February 03, 2005 3:26 PM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] Login/Logoff > > Put it in the Logon and LogOff Scripts... > > -ASB > FAST, CHEAP, SECURE: Pick Any TWO > http://www.ultratech-llc.com/KB/ > > On Thu, 3 Feb 2005 15:13:35 -0700, Carstensen, Pete > <[EMAIL PROTECTED]> wrote: > > > > > > In trying to track user activity, I am parsing the security logs > > using EventCombMT. It finds the 538/540 events just fine but the > > problem is > that > > it finds far too many. I am seeing groups of consecutive logon > events, > > which I presume is attachments to network resources, but then I > immediately > > see logoff events too. Perhaps an hour goes by and more of these > occur. In > > fact, it occurs throughout the day. > > > > I suspect that perhaps the first in the series is the user logging > > on > > > > Then more occur with resource connection (mapped drives, printers, > etc. > > > > Some of those log out. > > > > Further login/logoff events occur as resources are requested during > the day. > > > > Final logoff for the day is the actual user doing so. > > > > Q: If the above is a correct assessment of the situation, is there > > a > better > > event id or filter to see the actual user netlogon timing rather > > than resource attachment? > > > > > > > > ***************************** > > Pete Carstensen List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
