Disclaimer:
This is a reference post for myself, just to recall it later when I need it.
There are tons of tools/apps that can automate such tasks, But being lazy/blockhead or fond of fetching result using out of the box approach, I usually try to select method that works for me and which seems easy to me plus with some learning. You may follow the internet to get more elegant / less complicated solution. Read it just to add ideas on how dumb-heads like me doing there work in other dimension approach , lean so that you may enhance it or at least not follow it for many reasons ;). This was a drafted version, later I modified this task for more presentable formatting. Windows batch file is far behind in advance coding as compare to bash, but we understand the limitation due to Microsoft platform.
I used WINTAIL to view real time logging of the specific system. we can modify the scripting to any level we want it to be. example we can log this info at our linux based mysql server, email the event, etc etc 😀
Sky is the only limit !
Zaib!
Scenario#1:
We have a domain environment in our office & we want to log all users login/logoff/session continued/rdp login/dameware remote access into one centralized folder with username/computername LOG files.
Example:
- When user login to the workstation
- When user logoff from the workstation
- When workstation get LOCK dueto inactive session (after 5 minutes via GP)
- When user connect to any previous session, either local or by remote
- When user re-login to the system (unlock)
- Log info like RDP IP / DAMEWARE IP / LOCAL LOGIN
Following information should be recorded in simple log file at remote server. there must be 2 log file for each user, one for the USER ID , and second for the COMPUTER NAME, so that we can view which users logged in to the PC, or which ID is used to logged in to the PC. i am unable to explain right now, but later.
- Event Type: LOGIN OR LOGOFF
- RDP Client IP: If the user is logged in via RDP, his ip should be logged
- DAMEWARE IP: If the user is logged in using DAMEWARE remote app, his IP should be logged, it will be triggered by Event ID 1102
- Remote Client PC DNS Name: Remote client windows DNS name should be logged
- Username: Domain User ID which is being used to logging to the workstation
- Computername: name of workstation on which user is logging to
- Date / Time
Solution:
Since we are using Active Directory, We can use Login/Logoff script using DOMAIN Group Policy. What we will do is to create a new TASK scheduler entry via GPO to trigger task on specific actions like login/logoff/lock/unlock etc.
Requirements:
- grep
[Linux tool for windows version, copy its files in shared folder like \\DC1\TOOLS] - sed
[Linux tool for windows version, copy its files in shared folder like \\DC1\TOOLS] - login-log.cmd
This file will add login entry in user/computer log file [Copy it to DC SYSVOL Folder] - logoff.cmd
This file will add logoff entry in user/computer log file [Copy it to DC SYSVOL Folder] - lock-log.cmd
This will log unlock log in user/computer log file [Copy it to DC SYSVOL Folder] - relogin-log.cmd
This will log any session continue (relogin after lock) - Some addition in group policy to add task triggering via GPO
Download grep/sed tool (which will trim text as required) & place all contents to some shared location which all user can access example DC1\tools
Create another folder name DC1\userlogs which users can only write in it, but they should not able to browse in it.
Now create files for different tasks
login-log.cmd (Copy it in DC01 or DOMAIN User Scripts/LOGIN folder)
@echo off cls net time \\DC1 /set /y rem Use windows logged in user TEMP location set TEMPLOC=%temp% if not exist %TEMPLOC% mkdir %TEMPLOC% set DC=DC1 set DOMAIN=DOMAIN.LOCAL set RDPIP= set RDPCOMPNAME= set DWIP= set DWCOMPNAME= set LOGSERVERBYUSERNAME=\\%DC%\userlog\%USERNAME%.log set LOGTOSERVERBYCOMPNAME=\\%DC%\userlog\%COMPUTERNAME%.log set RDPFILE=%TEMPLOC%\RDPIPFILE.TXT set DWIPFILE=%TEMPLOC%\DWIPfile.txt set DWCOMPNAMEFILE=%TEMPLOC%\DWCOMPfile.txt set RDPCOMPFILENAME=%TEMPLOC%\RDPCOMPfile.txt rem Get IP Address for /f "skip=1 tokens=2 delims=[]" %%* in ( 'ping.exe -n 1 %Computername%') Do (set "LOCALIP=%%*" & goto:exitFor1) :exitFor1 netstat -na | find "3389" | find "ESTABLISHED" | \\%DC%\tools\awk "{print $3}" | \\%DC%\tools\sed s/:.*// > %RDPFILE% set /p RDPIP=<%RDPFILE% IF "%RDPIP%"=="" ( set RDPIP=x set RDPCOMPNAME=x ) else ( set /p RDPIP= %RDPCOMPFILENAME% set /p RDPCOMPNAME= %DWIPFILE% set /p DWIP= %DWCOMPNAMEFILE% set /p DWCOMPNAME=> %LOGSERVERBYUSERNAME% echo LOGIN -- %DATE% %TIME% / User: %USERNAME% / PC: %COMPUTERNAME% / PC.IP: %LOCALIP% / DC: %LOGONSERVER% / RDP: %RDPIP% %RDPCOMPNAME% / DW: %DWIP% %DWCOMPNAME% >> %LOGTOSERVERBYCOMPNAME% wscript //e:vbscript \\%DOMAIN%\sysvol\%DOMAIN%\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\USER\Scripts\Logon\welcome.vbs
lock-login.cmd
@echo off echo LOCKED -- %DATE% %TIME% / USER: %USERNAME% / PC: %COMPUTERNAME% >> \\DC\userlog\%USERNAME%.log echo LOCKED -- %DATE% %TIME% / USER: %USERNAME% / PC: %COMPUTERNAME% >> \\DC\userlog\%COMPUTERNAME%.log
RELOGIN-LOG.CMD
@echo off cls rem Use windows logged in user TEMP location set TEMPLOC=%temp% if not exist %TEMPLOC% mkdir %TEMPLOC% set DC=DC1 set RDPIP= set RDPCOMPNAME= set DWIP= set DWCOMPNAME= set LOGSERVERBYUSERNAME=\\%DC%\userlog\%USERNAME%.log set LOGTOSERVERBYCOMPNAME=\\%DC%\userlog\%COMPUTERNAME%.log set RDPFILE=%TEMPLOC%\RDPIPFILE.TXT set DWIPFILE=%TEMPLOC%\DWIPfile.txt set DWCOMPNAMEFILE=%TEMPLOC%\DWCOMPfile.txt set RDPCOMPFILENAME=%TEMPLOC%\RDPCOMPfile.txt rem Get IP Address for /f "skip=1 tokens=2 delims=[]" %%* in ( 'ping.exe -n 1 %Computername%') Do (set "LOCALIP=%%*" & goto:exitFor1) :exitFor1 netstat -na | find "3389" | find "ESTABLISHED" | \\%DC%\tools\awk "{print $3}" | \\%DC%\tools\sed s/:.*// > %RDPFILE% set /p RDPIP=<%RDPFILE% IF "%RDPIP%"=="" ( set RDPIP=x set RDPCOMPNAME=x ) else ( set /p RDPIP= %RDPCOMPFILENAME% set /p RDPCOMPNAME= %DWIPFILE% set /p DWIP= %DWCOMPNAMEFILE% set /p DWCOMPNAME=> %LOGSERVERBYUSERNAME% echo SESSION-CONTINUED -- %DATE% %TIME% / User: %USERNAME% / PC: %COMPUTERNAME% / PC.IP: %LOCALIP% / DC: %LOGONSERVER% / RDP: %RDPIP% %RDPCOMPNAME% / DW: %DWIP% %DWCOMPNAME% >> %LOGTOSERVERBYCOMPNAME%
LOGOFF.CMD (Copy it in DC01 or DOMAIN User Scripts/LOGOFF folder) ### NOT USED ANYMORE , IGNORE ITTTTTTTTTTTT
@echo off cls rem Use windows logged in user TEMP location set TEMPLOC=%temp% if not exist %TEMPLOC% mkdir %TEMPLOC% set DC=DC1 set RDPIP= set RDPCOMPNAME= set DWIP= set DWCOMPNAME= set LOGSERVERBYUSERNAME=\\%DC%\userlog\%USERNAME%.log set LOGTOSERVERBYCOMPNAME=\\%DC%\userlog\%COMPUTERNAME%.log set RDPFILE=%TEMPLOC%\RDPIPFILE.TXT set DWIPFILE=%TEMPLOC%\DWIPfile.txt set DWCOMPNAMEFILE=%TEMPLOC%\DWCOMPfile.txt set RDPCOMPFILENAME=%TEMPLOC%\RDPCOMPfile.txt rem Get IP Address for /f "skip=1 tokens=2 delims=[]" %%* in ( 'ping.exe -n 1 %Computername%') Do (set "LOCALIP=%%*" & goto:exitFor1) :exitFor1 netstat -na | find "3389" | find "ESTABLISHED" | \\%DC%\tools\awk "{print $3}" | \\%DC%\tools\sed s/:.*// > %RDPFILE% set /p RDPIP=<%RDPFILE% IF "%RDPIP%"=="" ( set RDPIP=x set RDPCOMPNAME=x ) else ( set /p RDPIP= %RDPCOMPFILENAME% set /p RDPCOMPNAME= %DWIPFILE% set /p DWIP= %DWCOMPNAMEFILE% set /p DWCOMPNAME=> %LOGSERVERBYUSERNAME% echo LOGOFF -- %DATE% %TIME% / User: %USERNAME% / PC: %COMPUTERNAME% / PC.IP: %LOCALIP% / DC: %LOGONSERVER% / RDP: %RDPIP% %RDPCOMPNAME% / DW: %DWIP% %DWCOMPNAME% >> %LOGTOSERVERBYCOMPNAME%
Windows Task Scheduler Configuration via GPO
Note: For DAMEWARE , first login to your domain controller via DAMEWARE so that its DWMRCS application name should appear in the SOURCE
For login Welcome script, I used startup script like welcome.vbs & copy this welcome.vbs into user scripts section
welcome.vbs
dim wshshell Dim wshenv set wshshell = CreateObject("Wscript.Shell") set wshenv = WshShell.Environment("VOLATILE") ' sample logon script ' first let's create the objects we'll be using dim objShell, objNetwork set objShell = WScript.CreateObject("WScript.Shell") set objNetwork = WScript.CreateObject("WScript.Network") ' let's display a welcome message dim strDomain, strUser strDomain = objNetwork.UserDomain strUser = objNetwork.UserName LOGONSERVER = WshShell.ExpandEnvironmentStrings("%LOGONSERVER%") 'msgbox "Welcome to my domain. " & strUser & " Your Login Server is " & LOGONSERVER & " ! " msgbox "" & strUser & " - Welcome to my domain " & vbCrLf & "Your Login Server is " & LOGONSERVER & " ! " ' msgbox "Welcome to the " & strDomain & ", " & strUser & "!" , " & "LOGONSERVER" ' Syed jahanzaib
I then created a BATCH file and set it as LOGON SCRIPT which opens the VB file, (This was required because vbs file was not executing directly , this is why I used HELPER file
wscript //e:vbscript \\DOMAIN.LOCAL\sysvol\domain_name\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\USER\Scripts\Logon\welcome.vbs
Login/Logoff Scripts addition via GPO
Result:
Now you can open the log file at log server, or local pc as well.
LOGOFF -- Username: syed.jahanzaib / PC_name: IT-TESTING / RDP Client IP: LOCAL-LOGIN - DW IP: x / Wed 02/27/2019 13:41:08.96 LOCKED -- Wed 02/27/2019 13:42:05.06 / USER: MEEEE / PC: SYED_JAHANZAIB LOGIN -- Wed 02/27/2019 13:42:53.35 / User: MEEEE / PC: IT-TESTING / PC.IP: 1.1.1.1 / DC: \\DC / RDP: x x / DW: x x LOCKED -- Wed 02/27/2019 13:43:05.79 / USER: MEEEE / PC: IT-TESTING SESSION-CONTINUED -- Wed 02/27/2019 13:43:10.74 / User: MEEEE / PC: IS-TESTING / PC.IP: 1.1.1.1 / DC: \\DC / RDP: x x / DW: x x
userlog Folder Permission
At remote log server (I used my domain controller server) you can set permission of userlog folder so that user can only write in it, but not explore it.
TIP: Deleting scheduled task via Group Policy
In Group Policy, I created scheduled task (At least windows 7) and in GENERAL > Action selected DELETE , and in ACTION I had to mentioned a program because without it , TASK was not accepting so I selected cmd.exe
As following …
once the gpo applied to workstation, the task got deleted successfully (even if user create it manually it will get delete on next login or when next GP will be refresh/re-applied)
blah blah blah
Syed.Jahanzaib