Users login and logout details

[Guest]

Hi all,

We have windows 2k domain with 50 clients. We want details of users who
logged in and logged out at what time and which system and ip address of the
system.

Is there any inbuilt or other tools by which i get all the details.

Thanks in advance,
Shiva.

 

[karl levinson, mvp]

We have windows 2k domain with 50 clients. We want details of users who
logged in and logged out at what time and which system and ip address of
the
system.

Is there any inbuilt or other tools by which i get all the details.

Windows auditing can put login / logout info into the Windows Security Event
Logs on your domain controllers [for domain logins] and on the local system
[for logins using local Windows accounts]:

http://securityadmin.info/faq.asp?auditing

Enable this change on domain controllers for domain logins, and/or on all
your systems to monitor logins of local accounts.

Windows 2000 does not have a suitable native feature for logging IP
addresses like this. You can switch to Windows 2003, which does have this
feature. Or you can use a firewall device or software [or a sniffer such as
the free Wireshark / Ethereal at www.ethereal.com, or an IDS such as Snort
at www.snort.org] to log all IP addresses and data for all authentication
going to the domain controllers. You would then need to look at or
consolidate the two logs in order to determine which IP was associated with
which login. If you want, you can consolidate firewall logs with Windows
event logs by using free Syslog client and server software, such as Snare or
NTSyslog.

Windows authentication should happen on TCP 139, TCP 445, and/or TCP/UDP 88.
Tools like Snort may have a signature that allows you to ignore other
traffic occuring on those ports.

 

[Guest]

Thanks for your reply

Can we manage it through MOM 2005
If it is pls provide full details.

We have windows 2k domain with 50 clients. We want details of users who
logged in and logged out at what time and which system and ip address of
the
system.

Is there any inbuilt or other tools by which i get all the details.

Windows auditing can put login / logout info into the Windows Security Event
Logs on your domain controllers [for domain logins] and on the local system
[for logins using local Windows accounts]:

http://securityadmin.info/faq.asp?auditing

Enable this change on domain controllers for domain logins, and/or on all
your systems to monitor logins of local accounts.

Windows 2000 does not have a suitable native feature for logging IP
addresses like this. You can switch to Windows 2003, which does have this
feature. Or you can use a firewall device or software [or a sniffer such as
the free Wireshark / Ethereal at www.ethereal.com, or an IDS such as Snort
at www.snort.org] to log all IP addresses and data for all authentication
going to the domain controllers. You would then need to look at or
consolidate the two logs in order to determine which IP was associated with
which login. If you want, you can consolidate firewall logs with Windows
event logs by using free Syslog client and server software, such as Snare or
NTSyslog.

Windows authentication should happen on TCP 139, TCP 445, and/or TCP/UDP 88.
Tools like Snort may have a signature that allows you to ignore other
traffic occuring on those ports.

 

[karl levinson, mvp]

I would think so, but I can't tell you exactly how. You'd have to google
it, or read the documentation.

Thanks for your reply

Can we manage it through MOM 2005
If it is pls provide full details.

We have windows 2k domain with 50 clients. We want details of users who
logged in and logged out at what time and which system and ip address
of
the
system.

Is there any inbuilt or other tools by which i get all the details.

Windows auditing can put login / logout info into the Windows Security
Event
Logs on your domain controllers [for domain logins] and on the local
system
[for logins using local Windows accounts]:

http://securityadmin.info/faq.asp?auditing

Enable this change on domain controllers for domain logins, and/or on all
your systems to monitor logins of local accounts.

Windows 2000 does not have a suitable native feature for logging IP
addresses like this. You can switch to Windows 2003, which does have
this
feature. Or you can use a firewall device or software [or a sniffer such
as
the free Wireshark / Ethereal at www.ethereal.com, or an IDS such as
Snort
at www.snort.org] to log all IP addresses and data for all authentication
going to the domain controllers. You would then need to look at or
consolidate the two logs in order to determine which IP was associated
with
which login. If you want, you can consolidate firewall logs with Windows
event logs by using free Syslog client and server software, such as Snare
or
NTSyslog.

Windows authentication should happen on TCP 139, TCP 445, and/or TCP/UDP
88.
Tools like Snort may have a signature that allows you to ignore other
traffic occuring on those ports.

 

[Michael Bednarek]

We have windows 2k domain with 50 clients. We want details of users who
logged in and logged out at what time and which system and ip address of the
system.

Is there any inbuilt or other tools by which i get all the details.

Here is the part of our KiXtart user login/logout scripts which records those events:

; Create an empty file in the hidden share \\server\LOGONS$ ($theLogons) of the form
; <user>YYYYMMDDHHMMSSN.<computername>
$sNow = Substr(@DATE,1,4)+Substr(@DATE,6,2)+Substr(@Date,9,2)+Substr(@Time,1,2)+Substr(@TIME,4,2)+Substr(@TIME,7,2)
If Open(3, $theLogons + "\" + @USERID + $sNow + "N." + @WKSTA, 5) = 0
$RC = Close(3)
EndIf

; Create an empty file in the hidden share \\server\LOGONS$ ($theLogons)of the form
; <user>YYYYMMDDHHMMSSF.<computername>
$sNow = Substr(@DATE,1,4)+Substr(@DATE,6,2)+Substr(@Date,9,2)+Substr(@Time,1,2)+Substr(@TIME,4,2)+Substr(@TIME,7,2)
IF Open(3, $theLogons + "\" + @USERID + $sNow + "F." + @WKSTA, 5) = 0
$RC = Close(3)
EndIf

In KiXtart, the function ENUMIPINFO() returns the IP address; incorporating
it into the naming scheme above is left as an exercise for the reader.