I don't want to use Win2k Security Log file and to audit logon events I have
included in my logon script the following :

echo %username% %time% %date% %clientname% >>
\\servername\foldershared\logon.log

The problem is that every client have to write in that file and they can
modify it.

How can I resolve this problem ?

And how can I audit the Logoff events ?

Thanks

You can define a logoff script in your Local Policy, which also
runs the echo command.

The problem with write access is more difficult. Obviously, users
need the right to modify the file to be able to record their
logon.

It sounds to me as if you have a management and security problem
here, rather than a technical problem. If you really suspect your
users to erase their login information from this file, despite the
fact that they obviously have the right to start a TS session,
then there is more going on.

The echo command gives a list which is more easily readable than
the Security EventLog, I agree. But you could, let's say once a
month, export the logon and logoff events from the Security
EventLog to a tab-delimited textfile, and then do a quick
comparison with that months logon.log. You could easily automate
part of this proces in a script and with some Excel macros.
That would show you if users really are manipulating the logon.log
file. Would this work for you?

--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup ---

"Michael" <(E-Mail Removed)> wrote in
news:O7$$(E-Mail Removed):

> I don't want to use Win2k Security Log file and to audit logon
> events I have included in my logon script the following :
>
> echo %username% %time% %date% %clientname% >>
> \\servername\foldershared\logon.log
>
> The problem is that every client have to write in that file and
> they can modify it.
>
> How can I resolve this problem ?
>
> And how can I audit the Logoff events ?
>
> Thanks

My goal is to have a simple list of user logon-logoff (username.
computername, date and time) because the Security EventLog is not easily
readable; I want to trace all the interactive sessions (logon from local
server, network logon from a pc, from a terminal server client, ...).
Is available a tool that do it ?

"Vera Noest [MVP]" <(E-Mail Removed)> ha scritto nel
messaggio news:Xns9447D090A9139veranoesthemutforsse@207.46.248.16...
> You can define a logoff script in your Local Policy, which also
> runs the echo command.
>
> The problem with write access is more difficult. Obviously, users
> need the right to modify the file to be able to record their
> logon.
>
> It sounds to me as if you have a management and security problem
> here, rather than a technical problem. If you really suspect your
> users to erase their login information from this file, despite the
> fact that they obviously have the right to start a TS session,
> then there is more going on.
>
> The echo command gives a list which is more easily readable than
> the Security EventLog, I agree. But you could, let's say once a
> month, export the logon and logoff events from the Security
> EventLog to a tab-delimited textfile, and then do a quick
> comparison with that months logon.log. You could easily automate
> part of this proces in a script and with some Excel macros.
> That would show you if users really are manipulating the logon.log
> file. Would this work for you?
>
> --
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> http://hem.fyristorg.com/vera/IT
> --- please respond in newsgroup ---
>
> "Michael" <(E-Mail Removed)> wrote in
> news:O7$$(E-Mail Removed):
>
> > I don't want to use Win2k Security Log file and to audit logon
> > events I have included in my logon script the following :
> >
> > echo %username% %time% %date% %clientname% >>
> > \\servername\foldershared\logon.log
> >
> > The problem is that every client have to write in that file and
> > they can modify it.
> >
> > How can I resolve this problem ?
> >
> > And how can I audit the Logoff events ?
> >
> > Thanks

Yes, I understand exactly what you want, and have tried to give
you some alternatives.
Why is the echo-command still not enough for you? It seems to do
all what you want, both on logon and logoff. Have you read my
suggestions about your security problem? Again: would that work
for you?

--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup ---

"Michael" <(E-Mail Removed)> wrote in
news:(E-Mail Removed):

> My goal is to have a simple list of user logon-logoff (username.
> computername, date and time) because the Security EventLog is
> not easily readable; I want to trace all the interactive
> sessions (logon from local server, network logon from a pc, from
> a terminal server client, ...). Is available a tool that do it ?
>
> "Vera Noest [MVP]" <(E-Mail Removed)> ha
> scritto nel messaggio
> news:Xns9447D090A9139veranoesthemutforsse@207.46.248.16...
>> You can define a logoff script in your Local Policy, which also
>> runs the echo command.
>>
>> The problem with write access is more difficult. Obviously,
>> users need the right to modify the file to be able to record
>> their logon.
>>
>> It sounds to me as if you have a management and security
>> problem here, rather than a technical problem. If you really
>> suspect your users to erase their login information from this
>> file, despite the fact that they obviously have the right to
>> start a TS session, then there is more going on.
>>
>> The echo command gives a list which is more easily readable
>> than the Security EventLog, I agree. But you could, let's say
>> once a month, export the logon and logoff events from the
>> Security EventLog to a tab-delimited textfile, and then do a
>> quick comparison with that months logon.log. You could easily
>> automate part of this proces in a script and with some Excel
>> macros. That would show you if users really are manipulating
>> the logon.log file. Would this work for you?
>>
>> --
>> Vera Noest
>> MCSE, CCEA, Microsoft MVP - Terminal Server
>> http://hem.fyristorg.com/vera/IT
>> --- please respond in newsgroup ---
>>
>> "Michael" <(E-Mail Removed)> wrote in
>> news:O7$$(E-Mail Removed):
>>
>> > I don't want to use Win2k Security Log file and to audit
>> > logon events I have included in my logon script the following
>> > :
>> >
>> > echo %username% %time% %date% %clientname% >>
>> > \\servername\foldershared\logon.log
>> >
>> > The problem is that every client have to write in that file
>> > and they can modify it.
>> >
>> > How can I resolve this problem ?
>> >
>> > And how can I audit the Logoff events ?
>> >
>> > Thanks

This solution give me some problems :

- security problem : users can modify the log file and comparing the log
file with the security log file is not easy
- concurrent access problem : there are some problems when two o more users
login at the same time (the file is locked)

I am searching for a automatic tool that give me that information filtering
the security log file without do any manual and complex activities.

Thanks,
Michael


It sounds to me as if you have a management and security
> >> problem here, rather than a technical problem. If you really
> >> suspect your users to erase their login information from this
> >> file, despite the fact that they obviously have the right to
> >> start a TS session, then there is more going on.
> >>
> >> The echo command gives a list which is more easily readable
> >> than the Security EventLog, I agree. But you could, let's say
> >> once a month, export the logon and logoff events from the
> >> Security EventLog to a tab-delimited textfile, and then do a
> >> quick comparison with that months logon.log. You could easily
> >> automate part of this proces in a script and with some Excel
> >> macros. That would show you if users really are manipulating
> >> the logon.log file. Would this work for you?
> >>
> >> --

"Vera Noest [MVP]" <(E-Mail Removed)> ha scritto nel
messaggio news:Xns9450771BD3CCveranoesthemutforsse@207.46.248.16...
> Yes, I understand exactly what you want, and have tried to give
> you some alternatives.
> Why is the echo-command still not enough for you? It seems to do
> all what you want, both on logon and logoff. Have you read my
> suggestions about your security problem? Again: would that work
> for you?
>
> --
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> http://hem.fyristorg.com/vera/IT
> --- please respond in newsgroup ---
>
> "Michael" <(E-Mail Removed)> wrote in
> news:(E-Mail Removed):
>
> > My goal is to have a simple list of user logon-logoff (username.
> > computername, date and time) because the Security EventLog is
> > not easily readable; I want to trace all the interactive
> > sessions (logon from local server, network logon from a pc, from
> > a terminal server client, ...). Is available a tool that do it ?
> >
> > "Vera Noest [MVP]" <(E-Mail Removed)> ha
> > scritto nel messaggio
> > news:Xns9447D090A9139veranoesthemutforsse@207.46.248.16...
> >> You can define a logoff script in your Local Policy, which also
> >> runs the echo command.
> >>
> >> The problem with write access is more difficult. Obviously,
> >> users need the right to modify the file to be able to record
> >> their logon.
> >>
> >> It sounds to me as if you have a management and security
> >> problem here, rather than a technical problem. If you really
> >> suspect your users to erase their login information from this
> >> file, despite the fact that they obviously have the right to
> >> start a TS session, then there is more going on.
> >>
> >> The echo command gives a list which is more easily readable
> >> than the Security EventLog, I agree. But you could, let's say
> >> once a month, export the logon and logoff events from the
> >> Security EventLog to a tab-delimited textfile, and then do a
> >> quick comparison with that months logon.log. You could easily
> >> automate part of this proces in a script and with some Excel
> >> macros. That would show you if users really are manipulating
> >> the logon.log file. Would this work for you?
> >>
> >> --
> >> Vera Noest
> >> MCSE, CCEA, Microsoft MVP - Terminal Server
> >> http://hem.fyristorg.com/vera/IT
> >> --- please respond in newsgroup ---
> >>
> >> "Michael" <(E-Mail Removed)> wrote in
> >> news:O7$$(E-Mail Removed):
> >>
> >> > I don't want to use Win2k Security Log file and to audit
> >> > logon events I have included in my logon script the following
> >> > :
> >> >
> >> > echo %username% %time% %date% %clientname% >>
> >> > \\servername\foldershared\logon.log
> >> >
> >> > The problem is that every client have to write in that file
> >> > and they can modify it.
> >> >
> >> > How can I resolve this problem ?
> >> >
> >> > And how can I audit the Logoff events ?
> >> >
> >> > Thanks

OK, I see. There are numerous 3th party software packages out
there that do what you want, but most do much more and are costly.
All depends on how much you want to pay and how much manual work
you are willing to do to pay less.

Filtering of the EventLog and exporting the information can be
done for free, with nearly any freeware / shareware EventLog
management utility. The Windows 2000 Resource Kit contains a
number of utilities and scripts to automate this:

Windows 2000 Resource Kits - Tools
http://www.microsoft.com/windows2000.../default.asp#s
ection2

TechNet Script Center - Logs
http://www.microsoft.com/technet/treeview/default.asp
url=/technet/scriptcenter/logs/default.asp

If you want total automation, you probably want to search for one
of the numerous user accounting management software, which tend to
cost a lot.

--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup ---

"Michael" <(E-Mail Removed)> wrote in
news:e#(E-Mail Removed):

> This solution give me some problems :
>
> - security problem : users can modify the log file and comparing
> the log file with the security log file is not easy
> - concurrent access problem : there are some problems when two o
> more users login at the same time (the file is locked)
>
> I am searching for a automatic tool that give me that
> information filtering the security log file without do any
> manual and complex activities.
>
> Thanks,
> Michael
>
>
> It sounds to me as if you have a management and security
>> >> problem here, rather than a technical problem. If you really
>> >> suspect your users to erase their login information from
>> >> this file, despite the fact that they obviously have the
>> >> right to start a TS session, then there is more going on.
>> >>
>> >> The echo command gives a list which is more easily readable
>> >> than the Security EventLog, I agree. But you could, let's
>> >> say once a month, export the logon and logoff events from
>> >> the Security EventLog to a tab-delimited textfile, and then
>> >> do a quick comparison with that months logon.log. You could
>> >> easily automate part of this proces in a script and with
>> >> some Excel macros. That would show you if users really are
>> >> manipulating the logon.log file. Would this work for you?
>> >>
>> >> --
>
> "Vera Noest [MVP]" <(E-Mail Removed)> ha
> scritto nel messaggio
> news:Xns9450771BD3CCveranoesthemutforsse@207.46.248.16...
>> Yes, I understand exactly what you want, and have tried to give
>> you some alternatives.
>> Why is the echo-command still not enough for you? It seems to
>> do all what you want, both on logon and logoff. Have you read
>> my suggestions about your security problem? Again: would that
>> work for you?
>>
>> --
>> Vera Noest
>> MCSE, CCEA, Microsoft MVP - Terminal Server
>> http://hem.fyristorg.com/vera/IT
>> --- please respond in newsgroup ---
>>
>> "Michael" <(E-Mail Removed)> wrote in
>> news:(E-Mail Removed):
>>
>> > My goal is to have a simple list of user logon-logoff
>> > (username. computername, date and time) because the Security
>> > EventLog is not easily readable; I want to trace all the
>> > interactive sessions (logon from local server, network logon
>> > from a pc, from a terminal server client, ...). Is available
>> > a tool that do it ?
>> >
>> > "Vera Noest [MVP]" <(E-Mail Removed)> ha
>> > scritto nel messaggio
>> > news:Xns9447D090A9139veranoesthemutforsse@207.46.248.16...
>> >> You can define a logoff script in your Local Policy, which
>> >> also runs the echo command.
>> >>
>> >> The problem with write access is more difficult. Obviously,
>> >> users need the right to modify the file to be able to record
>> >> their logon.
>> >>
>> >> It sounds to me as if you have a management and security
>> >> problem here, rather than a technical problem. If you really
>> >> suspect your users to erase their login information from
>> >> this file, despite the fact that they obviously have the
>> >> right to start a TS session, then there is more going on.
>> >>
>> >> The echo command gives a list which is more easily readable
>> >> than the Security EventLog, I agree. But you could, let's
>> >> say once a month, export the logon and logoff events from
>> >> the Security EventLog to a tab-delimited textfile, and then
>> >> do a quick comparison with that months logon.log. You could
>> >> easily automate part of this proces in a script and with
>> >> some Excel macros. That would show you if users really are
>> >> manipulating the logon.log file. Would this work for you?
>> >>
>> >> --
>> >> Vera Noest
>> >> MCSE, CCEA, Microsoft MVP - Terminal Server
>> >> http://hem.fyristorg.com/vera/IT
>> >> --- please respond in newsgroup ---
>> >>
>> >> "Michael" <(E-Mail Removed)> wrote in
>> >> news:O7$$(E-Mail Removed):
>> >>
>> >> > I don't want to use Win2k Security Log file and to audit
>> >> > logon events I have included in my logon script the
>> >> > following
>> >> > :
>> >> >
>> >> > echo %username% %time% %date% %clientname% >>
>> >> > \\servername\foldershared\logon.log
>> >> >
>> >> > The problem is that every client have to write in that
>> >> > file and they can modify it.
>> >> >
>> >> > How can I resolve this problem ?
>> >> >
>> >> > And how can I audit the Logoff events ?
>> >> >
>> >> > Thanks