Logon/Logoff Report from AD (2008 R2) RRS feed

  • Question

  • Hi,
    I know this is very common question from IT administrators and there are lot of articles about it as well. But I'm unable to satisfy my customer yet with his requirement. He needs a report which contains users' logon/logoff information. It should contain Date & time, Computer name or IP address, Username and whether this is logon or logoff entry. So I came up with a solution and I followed below article.
    From the above article I did everything right and I got an output which is very neat. We can import it to a excel file and filter for data as well. But the problem with this is users are able to access this file from the server and can change this file too. Because this is a shared file with full or write permission. My customer requires something that cannot be changed by users.
    First, I have given full permission to domain users for sharing and NTFS permissions. Then only logon/logoff data can be successfully written to the text file located in the server. I tried different methods of permissions for sharing and NTFS, but anything doesn't write that data to the log file. obviously it should act like that because it has something to write. Anyway is there any thing that I can do to protect this file from unauthorized users.
    Other way is that the customer need only a report which gives logon/logoff information of users with previously mentioned information. therefore I tried to extract data from security log of the Event viewer (Already enabled "Audit account logon events"). I tried few methods listed below.

    I have gone through above article tried to retrieve logon/logoff events using Logparser. But it also unsuccessful. I tried using event ID 4624 and 4634 but it didn't succeed.

    I tried below article as well. But it didn't succeed either. It shows only logon/logoff information for the specified computer only.

    Is there any powershell script that I can extract domain user logon/logoff information from event viewer?

    Could you please help me to find something to the above requirement. The way that report is taken doesn't matter.


    Thisaru Perera.

    Thursday, August 29, 2013 10:11 AM