Syed Jahanzaib Personal Blog to Share Knowledge !

January 19, 2017

Windows Users Centralized Logging with AD & GPO

Filed under: Microsoft Related — Tags: — Syed Jahanzaib / Pinochio~:) @ 7:12 PM

Disclaimer:
This is a reference post for myself, to recall it later when i need it.
There are tons of tools/apps that can automate such tasks, But being lazy/blockhead or fond of fetching result using out of the box approach, I usually try to select method that works for me and which seems easy to me plus with some learning. You may follow the internet to get more elegant / less complicated solution. Read it just to add ideas on how dumb-heads like me doing there work in other dimension approach , lean so that you may enhance it or at least not follow it for many reasons ;). This was a drafted version, later I modified this task for more presentable formatting. Windows batch file is far behind in advance coding as compare to bash, but we understand the limitation dueo to Microsoft platform.

I used WINTAIL to view real time logging of the specific system. we can modify the scripting to any level we want it to be. example we can log this info at our linux based mysql server, email the event, etc etc 😀

Sky is the only limit !

Zaib!


Scenario#1:

We have a domain environment in our office. At one windows 7 workstation, we have some important application installed which is access by specific users Remote (RDP and Dameware remote app) session & dueto some specific issues, the management wanted to store its full logs for following events only …

  1. When user login to the workstation
  2. When user logoff from the workstation
  3. When workstation gets LOCK dueto inactive session (after 5 minutes)
  4. When user connect to any previous session, either local or by remote
  5. When user re-login to the system (unlock)

Following information should be recorded in simple log file at remote server. there must be 2 log file for each user, one for the USER ID , and second for the COMPUTER NAME, so that we can view which users logged in to the PC, or which ID is used to loggedin to the PC. i am unable to explain right now, but later.

  1. Event Type: LOGIN OR LOGOFF
  2. RDP Client IP: If the user is logged in via RDP, his ip should be logged
  3. DAMEWARE IP: If the user is logged in using DAMEWARE remote app, his IP should be logged, it will be triggered by Event ID 1102
  4. Remote Client PC DNS Name: Remote client windows DNS name should be logged
  5. Username: Domain User ID which is being used to logging to the workstation
  6. Computername: name of workstation on which user is logging to
  7. Date / Time

 


Solution:

Since we are using Active Directory, We can use Login/Logoff script using DOMAIN Group Policy. What we will do is to create a new TASK scheduler entry via GPO to trigger task on specific actions like login/logoff/lock/unlock etc.

Requirements:

  • grep
    [Linux tool for windows version, copy its files in shared folder like \\DC1\TOOLS]
  • sed
    [Linux tool for windows version, copy its files in shared folder like \\DC1\TOOLS]
  • login-log.cmd
    This file will add login entry in user/computer log file [Copy it to DC SYSVOL Folder]
  • logoff.cmd
    This file will add logoff entry in user/computer log file [Copy it to DC SYSVOL Folder]
  • lock-log.cmd
    This will log unlock log in user/computer log file [Copy it to DC SYSVOL Folder]
  • Some addition in group policy to add task triggering via GPO

Download grep/sed and place all contents  to some shared location which all user can access example DC1\tools

Create another folder name DC1\userlogs which users can only write in it, but they should not able to browse in it.

Now create files for different tasks


login-log.cmd

@echo off
rem Script to add LOGIN log to our log server
rem *** by Syed Jahanzaib aacable@hotmail.com ***
cls
rem Create Backup folder if not exists already
set TEMPLOC="C:\BACKUP"
if not exist "%TEMPLOC%" mkdir %TEMPLOC%
set LOGLOCAL="%TEMPLOC%\LOCAL.LOG"
set LOGSERVER="\\DC1\userlog\%USERNAME%.log"
set LOGSERVER2="\\DC1\userlog\%COMPUTERNAME%.log"
set IPFILE="%TEMPLOC%\IP.TXT"
set COMPFILE="%TEMPLOC%\COMPNAME.TXT"
set IPADD=
set DAMWIP=
set DAMWIPFILE="%TEMPLOC%\damwipfile.txt"
set COMPNAME=
del %IPFILE% 2> nul
del %COMPFILE% 2> nul
taskkill /F /IM nslookup.exe 2> nul


::# Get IP Address
for /f "skip=1 tokens=2 delims=[]" %%* in (
'ping.exe -n 1 %Computername%') Do (set "LOCALIP=%%*" & goto:exitFor1)
:exitFor1

netstat -na | find "3389" | find "ESTABLISHED" | \\DC1\tools\awk "{print $3}" | \\DC1\tools\sed s/:.*// > %IPFILE%
set /p IPADD=<%IPFILE%
IF "%IPADD%"=="" (
set IPADD=x
)


set "filter=c:\backup/ip.txt"
for %%A in (%filter%) do if %%~zA==0 goto :skipname

nslookup %IPADD% | \\DC1\tools\sed -n "4p" | \\DC1\tools\awk "{print $2}" > %COMPFILE%
set /p COMPNAME=<%COMPFILE%

:skipname
netstat -na | find "6129" | find "ESTABLISHED" | \\DC1\tools\sed -n "2p" | \\DC1\tools\awk "{print $3}" | \\DC1\tools\sed s/:.*// > %DAMWIPFILE%
set /p DAMWIP=<%DAMWIPFILE%
rem echo %DAMWIP%
set "filter=%DAMWIPFILE%"
rem for %%A in (%filter%) do if %%~zA==0 echo no damw
REM goto :skipdamw

IF "%DAMWIP%"=="127.0.0.1" (
set DAMWIP=x
)

IF "%DAMWIP%"=="" (
goto :nodamw
)

:skipdamw
if "%DAMWIP%"=="x" goto :1
nslookup %DAMWIP% | \\DC1\tools\sed -n "4p" | \\DC1\tools\awk "{print $2}" > c:\backup\damwip.txt
set /p COMPNAME=<c:\backup\damwip.txt
goto :skip
:1
if "%IPADD%"=="x" goto :cond
goto :skip
:cond
set IPADD=LOCAL-LOGIN


:nodamw
set DAMWIP=x
:skip

if "%COMPNAME%"=="" set COMPNAME=LOCAL-LOGIN
echo --------------------------------- >> %LOGSERVER%
echo --------------------------------- >> %LOGSERVER2%
ECHO LOGIN >> %LOGSERVER%
ECHO LOGIN >> %LOGSERVER2%
echo RDP Client IP: %IPADD% - / DW IP: %DAMWIP% / Remote Client PC: %COMPNAME% 
echo Login User: %USERNAME% / To: %COMPUTERNAME% / Local IP: %LOCALIP% / %DATE% %TIME% 

echo RDP Client IP: %IPADD% - DW IP: %DAMWIP% / Remote Client PC: %COMPNAME% >> %LOGSERVER%
echo Username - %USERNAME% / Computer - %COMPUTERNAME% / %DATE% %TIME% >> %LOGSERVER%

echo RDP Client IP: %IPADD% - DW IP: %DAMWIP% / Remote Client PC: %COMPNAME% >> %LOGSERVER2%
echo Username - %USERNAME% / Computer - %COMPUTERNAME% / %DATE% %TIME% >> %LOGSERVER2%

echo --------------------------------- >> %LOGSERVER%
echo --------------------------------- >> %LOGSERVER2%
echo --------------------------------- >> %LOGLOCAL%
ECHO LOGIN >> %LOGLOCAL%
echo RDP Client IP: %IPADD% - DW IP: %DAMWIP% / Remote Client PC: %COMPNAME% >> %LOGLOCAL%
echo Username - %USERNAME% / Computer - %COMPUTERNAME% / %DATE% %TIME% >> %LOGLOCAL%

echo --------------------------------- >> %LOGLOCAL%

lock-login.cmd


@echo off
cls
rem *** Script to add workstation is locked entry in log file ***
rem *** Syed Jahanzaib aacable@hotmail.com ***
rem Create Backup folder if not exists already
set TEMPLOC="C:\BACKUP"
if not exist "%TEMPLOC%" mkdir %TEMPLOC%
set LOGLOCAL="%TEMPLOC%\LOCAL.LOG"
set LOGSERVER="\\DC1\userlog\%USERNAME%.log"
set LOGSERVER2="\\DC1\userlog\%COMPUTERNAME%.log"
set IPFILE="%TEMPLOC%\IP.TXT"
set COMPFILE="%TEMPLOC%\COMPNAME.TXT"
set IPADD=
set DAMWIP=
set DAMWIPFILE="%TEMPLOC%\damwipfile.txt"
set COMPNAME=
del %IPFILE% 2> nul
del %COMPFILE% 2> nul
taskkill /F /IM nslookup.exe 2> nul
::# Get IP Address
for /f "skip=1 tokens=2 delims=[]" %%* in (
'ping.exe -n 1 %Computername%') Do (set "LOCALIP=%%*" & goto:exitFor1)
:exitFor1

netstat -na | find "3389" | find "ESTABLISHED" | \\DC1\tools\awk "{print $3}" | \\DC1\tools\sed s/:.*// > %IPFILE%
set /p IPADD=<%IPFILE%
IF "%IPADD%"=="" (
set IPADD=x
)
set "filter=c:\backup/ip.txt"
for %%A in (%filter%) do if %%~zA==0 goto :skipname

nslookup %IPADD% | \\DC1\tools\sed -n "4p" | \\DC1\tools\awk "{print $2}" > %COMPFILE%
set /p COMPNAME=<%COMPFILE%

:skipname
netstat -na | find "6129" | find "ESTABLISHED" | \\DC1\tools\sed -n "2p" | \\DC1\tools\awk "{print $3}" | \\DC1\tools\sed s/:.*// > %DAMWIPFILE%
set /p DAMWIP=<%DAMWIPFILE%
rem echo %DAMWIP%
set "filter=%DAMWIPFILE%"
rem for %%A in (%filter%) do if %%~zA==0 echo no damw
REM goto :skipdamw

IF "%DAMWIP%"=="127.0.0.1" (
set DAMWIP=x
)

IF "%DAMWIP%"=="" (
goto :nodamw
)

:skipdamw
if "%DAMWIP%"=="x" goto :1
nslookup %DAMWIP% | \\DC1\tools\sed -n "4p" | \\DC1\tools\awk "{print $2}" > c:\backup\damwip.txt
set /p COMPNAME=<c:\backup\damwip.txt
goto :skip
:1
if "%IPADD%"=="x" goto :cond
goto :skip
:cond
set IPADD=LOCAL-LOGIN
:nodamw
set DAMWIP=x
:skip

if "%COMPNAME%"=="" set COMPNAME=LOCAL-LOGIN
echo --------------------------------- >> %LOGSERVER%
echo --------------------------------- >> %LOGSERVER2%
ECHO LOCKED >> %LOGSERVER%
ECHO LOCKED >> %LOGSERVER2%
echo RDP Client IP: %IPADD% - / DW IP: %DAMWIP% / Remote Client PC: %COMPNAME%
echo Login User: %USERNAME% / To: %COMPUTERNAME% / Local IP: %LOCALIP% / %DATE% %TIME%

echo RDP Client IP: %IPADD% - DW IP: %DAMWIP% / Remote Client PC: %COMPNAME% >> %LOGSERVER%
echo Username - %USERNAME% / Computer - %COMPUTERNAME% / %DATE% %TIME% >> %LOGSERVER%

echo RDP Client IP: %IPADD% - DW IP: %DAMWIP% / Remote Client PC: %COMPNAME% >> %LOGSERVER2%
echo Username - %USERNAME% / Computer - %COMPUTERNAME% / %DATE% %TIME% >> %LOGSERVER2%

echo --------------------------------- >> %LOGSERVER%

REM --- LOCAL LOG FILE
echo --------------------------------- >> %LOGLOCAL%
ECHO LOCK >> %LOGLOCAL%
echo RDP Client IP: %IPADD% - DW IP: %DAMWIP% / Remote Client PC: %COMPNAME% >> %LOGLOCAL%
echo Username - %USERNAME% / Computer - %COMPUTERNAME% / %DATE% %TIME% >> %LOGLOCAL%

echo --------------------------------- >> %LOGLOCAL%


LOGOFF.CMD

@echo off
echo LOGOFF -- Username: %USERNAME% / PC_name: %COMPUTERNAME% / Local_ip: %LOCALIP% / Rdp_client: %CLIENTNAME% / %DATE% %TIME% >> \\DC1\userlog\%USERNAME%.log
echo LOGOFF -- Username: %USERNAME% / PC_name: %COMPUTERNAME% / Local_ip: %LOCALIP% / Rdp_client: %CLIENTNAME% / %DATE% %TIME% >> \\DC1\userlog\%COMPUTERNAME%.log

 


RELOGIN-LOG.CMD

@echo off
rem *** Script to add log of session continue / relogin ***
rem *** Syed Jahanzaib aacable@hotmail.com ***
rem schtasks /delete /tn "Update LOGIN - LOG to Server" /f
cls
rem test file for computer name
rem Create Backup folder if not exists already
set TEMPLOC="C:\BACKUP"
if not exist "%TEMPLOC%" mkdir %TEMPLOC%
set LOGSERVER=
set LOGTOSERVERBYCOMPNAME=
set LOGSERVER="\\DC1\userlog\%USERNAME%.log"
set LOGTOSERVERBYCOMPNAME="\\DC1\userlog\%COMPUTERNAME%.log"
set LOGLOCAL="%TEMPLOC%\LOCAL.LOG"
set IPFILE="%TEMPLOC%\IP.TXT"
set COMPFILE="%TEMPLOC%\COMPNAME.TXT"
set IPADD=
set DAMWIP=
set DAMWIPFILE="%TEMPLOC%\damwipfile.txt"
set COMPNAME=
del %IPFILE% 2> nul
del %COMPFILE% 2> nul
taskkill /F /IM nslookup.exe 2> nul
::# Get IP Address
for /f "skip=1 tokens=2 delims=[]" %%* in (
'ping.exe -n 1 %Computername%') Do (set "LOCALIP=%%*" & goto:exitFor1)
:exitFor1

netstat -na | find "3389" | find "ESTABLISHED" | \\DC1\tools\awk "{print $3}" | \\DC1\tools\sed s/:.*// > %IPFILE%
set /p IPADD= %COMPFILE%
set /p COMPNAME= %DAMWIPFILE%
set /p DAMWIP= c:\backup\damwip.txt
set /p COMPNAME=> %LOGSERVER%
echo --------------------------------- >> %LOGTOSERVERBYCOMPNAME%
ECHO SESSION-CONTINUED >> %LOGSERVER%
ECHO SESSION-CONTINUED >> %LOGTOSERVERBYCOMPNAME%
echo RDP Client IP: %IPADD% - / DW IP: %DAMWIP% / Remote Client PC: %COMPNAME%
echo Login User: %USERNAME% / To: %COMPUTERNAME% / Local IP: %LOCALIP% / %DATE% %TIME%
echo RDP Client IP: %IPADD% - DW IP: %DAMWIP% / Remote Client PC: %COMPNAME% >> %LOGSERVER%
echo RDP Client IP: %IPADD% - DW IP: %DAMWIP% / Remote Client PC: %COMPNAME% >> %LOGTOSERVERBYCOMPNAME%
echo Username - %USERNAME% / Computer - %COMPUTERNAME% / %DATE% %TIME% >> %LOGSERVER%
echo Username - %USERNAME% / Computer - %COMPUTERNAME% / %DATE% %TIME% >> %LOGTOSERVERBYCOMPNAME%
echo --------------------------------- >> %LOGSERVER%
echo --------------------------------- >> %LOGTOSERVERBYCOMPNAME%

REM --- LOCAL LOG FILE
echo --------------------------------- >> %LOGLOCAL%
ECHO S-RELOGIN >> %LOGLOCAL%
echo RDP Client IP: %IPADD% - DW IP: %DAMWIP% / Remote Client PC: %COMPNAME% >> %LOGLOCAL%
echo Username - %USERNAME% / Computer - %COMPUTERNAME% / %DATE% %TIME% >> %LOGLOCAL%

echo --------------------------------- >> %LOGLOCAL%


Windows Task Scheduler Configuration via GPO

 

1-task-scheudler

2-update-re-login

3-trigger

4-action

for login entries, I used startup script like welcome.vbs

welcome.vbs


' Domain Users Welcome Logon script / syed jahanzaib
dim objShell, objNetwork
set objShell = WScript.CreateObject("WScript.Shell")
set objNetwork = WScript.CreateObject("WScript.Network")
' let's display a welcome message
dim strDomain, strUser
strDomain = objNetwork.UserDomain
strUser = objNetwork.UserName
msgbox "Welcome to AGP (Pvt) Ltd. " & strUser & "!"
' msgbox "Welcome to the " & strDomain & ", " & strUser & "!"
' Syed jahanzaib


Result:

Now you can open the log file at log server, or local pc as well.

---------------------------------
---------------------------------
LOGOFF -- user1.id USER1_PC Mon 01/23/2017 17:03:34.68
---------------------------------
---------------------------------
LOGIN
RDP Client IP: LOCAL-LOGIN - DW IP: x / Remote Client PC: LOCAL-LOGIN
Username - user1.id / Computer - USER1_PC / Tue 01/24/2017 8:31:15.80
---------------------------------
---------------------------------
LOCKED
RDP Client IP: LOCAL-LOGIN - DW IP: x / Remote Client PC: LOCAL-LOGIN
Username - user1.id / Computer - USER1_PC / Tue 01/24/2017 9:33:30.06
---------------------------------
---------------------------------
SESSION-CONTINUED
RDP Client IP: LOCAL-LOGIN - DW IP: x / Remote Client PC: LOCAL-LOGIN
Username - user1.id / Computer - USER1_PC / Tue 01/24/2017 9:36:22.70
---------------------------------
---------------------------------
LOCKED
RDP Client IP: LOCAL-LOGIN - DW IP: x / Remote Client PC: LOCAL-LOGIN
Username - user1.id / Computer - USER1_PC / Tue 01/24/2017 9:36:30.19
---------------------------------
---------------------------------
SESSION-CONTINUED
RDP Client IP: LOCAL-LOGIN - DW IP: x / Remote Client PC: LOCAL-LOGIN
Username - user1.id / Computer - USER1_PC / Tue 01/24/2017 9:49:58.99
---------------------------------

Uuserlog Folder Permission

At remote log server, you can set permission of userlog folder so that user can only write in it, but not explore it.

permission


blah blah blah

Syed.Jahanzaib

Advertisements

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: