How to set up logon auditing

Microsoft Als windows xp professional
March 31, 2011 at 14:50:20
Specs: Win Server 2003 SBS, n/a
Hi there

I am trying to set up logon success auditing through group policy, but the event log just fills up with crap so fast (e.g. 30MB log event log within a few hours - large network though). Can anyone tell me how to set it up so only users of a certain OU (and sub OUs) have their logons logged, and only one event per logon as there seems to be like 10 now

Thanks


See More: How to set up logon auditing

Report •

#1
April 1, 2011 at 03:05:19
serach the keyword in google "active directory users logon report". you will get some result..

http://serveradministrators.blogspo...


Report •

#2
April 3, 2011 at 16:32:33
That would be a good solution (batch file) but we have various users who connect using wireless cards remotely so the login script won't run for them, which is why I need to use auditing since that will log when they are authenticated against the domain controller (when they first try access a network resource)

Report •

#3
April 4, 2011 at 07:56:51
Even the Windows Auditing on the Domain will only track logons on the domain. You could try to setup local auditing but then you would need to some how transfer the audit logs when the computers join the domain. I would suggest installing a local Batch script on the laptops that would be able to detect when the computer is connected to the domain and transmit its logs.

Most of my Virtual Office users use VPN but there must be times they logon when not connected. I think I will do the same thing with my audit scripts and get back to you with the details. (As-soon-as I can find time.)


Report •

Related Solutions

#4
April 4, 2011 at 21:45:09
Thanks Ace. Not worried about local auditing, but with the remote users I just need to know when they are authenticated by the domain controller (i.e. when they access a resource), which account logon auditing does record.

The problem is the insane amount of event logs that are created, I was wondering if that could be cut down at all. I have had no luck on my searches


Report •

#5
April 4, 2011 at 22:29:37

Report •

#6
April 5, 2011 at 13:23:59
I had the same issue so I wrote My own auditing like suggested by Ganesank123. I simply made a new OU called Audit and in its Logon and Logoff I had scripts like...

@echo off
cls
set AuditPath=\\10.100.100.9\Audit
echo ************************************** >> %AuditPath%\loginlog.txt
echo LogOn %computername% %username% >> %AuditPath%\loginlog.txt
date /t >> %AuditPath%\loginlog.txt
time /t >> %AuditPath%\loginlog.txt
ipconfig >>%AuditPath%\loginlog.txt
echo ************************************** >> %AuditPath%\loginlog.txt
echo Logging Open Ports...
netstat -a >> %AuditPath%\%computername%.txt
ipconfig >> %AuditPath%\%computername%.txt

Your needs are probably different from mine but this is what my script looks like because I keep a file for each computer that logs open ports. Note the logoff script looks like...

set AuditPath=\\10.100.100.9\Audit
echo ************************************** >> %AuditPath%\loginlog.txt
echo LogOff %computername% %username% >> %AuditPath%\loginlog.txt
date /t >> %AuditPath%\loginlog.txt
time /t >> %AuditPath%\loginlog.txt
echo ************************************** >> %AuditPath%\loginlog.txt

Hope it helps.


Report •

#7
April 5, 2011 at 20:59:21
Hi ace,

Please follow the steps i have specified in the last post in that link.. it will give accurate result

http://serveradministrators.blogspo...


Report •

#8
April 7, 2011 at 14:22:48
The login script way would be great, but unfortunately we have remote aircard users who logon while not connected, and then connect but the login script isn't run that way. That is why I need to do it through group policy auditing as that will log when they are authenticated against the domain controller when they try to access a share or something. The problem is just the insane amount of logs I need to find a way to cut it down

Report •

#9
April 7, 2011 at 15:28:02
Oh sorry I thought you said you only want to know when they authenticate to a server. When they are away they don't authenticate to the server because they can not access any of the domain resources when off line. Kinda confused as to what you want. If you care about when they login into the computer both on line and off line then run the script locally on each c:. Just use the RUN registry key. If want only when they are connected to the domain then the script will always runs because they have to logon to authenticate. If you want to know every time they access a domain resource that might be a little harder because single signon makes it so they only have to sign one once. Not sure. If you want to continue to use Windows Authentication Auditing then make a filter that will filter out the events you want.

http://technet.microsoft.com/en-us/...


Report •

Ask Question