As an administrator sometimes managers need some information about their employees like how much time they spend using their PC or when the employee come to the office.
this information can be extracted from security logs of the system by pre-configuring the system in the group policy and running a script which will follow bellow.
First of all, we need to enable Audit under group policy:
Open gpedit.msc
under:
Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit
enable: Audit account logon event (success)
enable: Audit logon events (success)
Now, we can use the script bellow in the future to have the needed information. (remark: the script should be run under the building local administrator.)
'Option Explicit Dim objFSO, objFolder, objFile, objWMI, objItem, objShell Dim strComputer, strFileName, strFileOpen, strFolder, strPath Dim intEvent, intNumberID, intRecordNum, colLoggedEvents Dim intEventType, strLogType, objWMIService '------------------------------------------------- 'Get the computer name Set WshNetwork = WScript.CreateObject("WScript.Network") computer = WshNetwork.ComputerName '------------------------------------------------- ' -------------------------------------------------------- ' Set the folder and file name strComputer = "." strFileName = "\" & computer & ".txt" strFolder = "C:\Temp" strPath = strFolder & strFileName ' Set numbers intNumberID = 680 ' Event ID Number intEventType = 4 strLogType = "'Security'" intRecordNum = 0 '------------------------------------------------- Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2") Set colTimeZone = objWMIService.ExecQuery("Select * from Win32_TimeZone") For Each objTimeZone in colTimeZone TimeZone = objTimeZone.Bias Next '------------------------------------------------- ' ----------------------------------------------------- ' Section to create folder and hold file. ' Create the File System Object Set objFSO = CreateObject("Scripting.FileSystemObject") ' Check that the strFolder folder exists If objFSO.FolderExists(strFolder) Then Set objFolder = objFSO.GetFolder(strFolder) Else Set objFolder = objFSO.CreateFolder(strFolder) End If If objFSO.FileExists(strFolder & strFileName) Then Set objFolder = objFSO.GetFolder(strFolder) Else Set objFile = objFSO.CreateTextFile(strFolder & strFileName) End If ' -------------------------------------------------- ' Two tiny but vital commands (Try script without) set objFile = nothing set objFolder = nothing ' ---------------------------------------------------- ' Write the information to the file 'Wscript.Echo " Press OK and Wait 30 seconds (ish)" Set strFileOpen = objFso.CreateTextFile(strPath, True) ' ---------------------------------------------------------- ' WMI Core Section Set objWMI = GetObject("winmgmts:" & "{impersonationLevel=impersonate,(Security)}!\\" & strComputer & "\root\cimv2") Set colLoggedEvents = objWMI.ExecQuery ("Select * from Win32_NTLogEvent Where Logfile =" & strLogType) ' ---------------------------------------------------------- ' Next section loops through ID properties For Each objItem in colLoggedEvents dyear = mid(objItem.TimeGenerated,1,4) dmonth = mid(objItem.TimeGenerated,5,2) dday = mid(objItem.TimeGenerated,7,2) dhour = cint(mid(objItem.TimeGenerated,9,2)) + CInt(TimeZone)/60 + 1 ' +1 if it's summer time dmin = mid(objItem.TimeGenerated,11,2) dsec = mid(objItem.TimeGenerated,13,2) 'User initiated logoff If objItem.EventCode = 4647 Then useraccount3 = mid(objItem.Message,instr(1,objItem.Message,"Account",0),InstrRev(objItem.Message,"Account", -1, 0)-instr(1,objItem.Message,"Account",0)) useraccount3 = mid(useraccount3,16,len(useraccount3)) dates = "Date: " & dday & "." & dmonth & "." & dyear & " - " & dhour & ":" & dmin & ":" & dsec users = mid(useraccount3,1,len(useraccount3)-3) strFileOpen.WriteLine(dates & " - " & users & " initiate a logoff from " & computer) End If 'An account was successfully logged on, UNLOCK If objItem.EventCode = 4624 And instr(1,objItem.Message, "winlogon.exe",0) > 0 Then logontype = Cint(mid(objItem.Message,InStr(1,objItem.Message,"Logon Type:",0)+14,2)) useraccount2 = mid(objItem.Message,1, InstrRev(objItem.Message,"Account", -1, 0)-1) useraccount2 = right(useraccount2,len(useraccount2)-InstrRev(useraccount2,"Account", -1, 0)) useraccount2 = mid(useraccount2,15, len(useraccount2)) dates = "Date: " & dday & "." & dmonth & "." & dyear & " - " & dhour & ":" & dmin & ":" & dsec users = mid(useraccount2,1,len(useraccount2)-3) If logontype = 7 Then strFileOpen.WriteLine(dates & " - " & users & " successfully unlock the " & computer) End If If logontype = 11 Then strFileOpen.WriteLine(dates & " - " & users & " successfully logged on to " & computer) End If End If 'An account was logged off If objItem.EventCode = 4634 And instr(1,objItem.Message, "ANONYMOUS",0) = 0 And instr(1,objItem.Message, "CLIENT",0) = 0 Then useraccount = mid(objItem.Message,instr(1,objItem.Message,"Account",0),InstrRev(objItem.Message,"Account", -1, 0)-instr(1,objItem.Message,"Account",0)) useraccount = mid(useraccount,16,len(useraccount)) dates = "Date: " & dday & "." & dmonth & "." & dyear & " - " & dhour & ":" & dmin & ":" & dsec users = mid(useraccount, 1,len(useraccount)-3) strFileOpen.WriteLine(dates & " - " & users & " Logged off from " & computer) End If 'The Screen saver was invoked If objItem.EventCode = 4802 Then dates = "Date: " & dday & "." & dmonth & "." & dyear & " - " & dhour & ":" & dmin & ":" & dsec strFileOpen.WriteLine(dates & " - " & "The Screen saver was invoked on " & computer) End If 'USER LOCK THE SYSTEM If objItem.EventCode = 4800 Then useraccount = mid(objItem.Message,instr(1,objItem.Message,"Account",0),InstrRev(objItem.Message,"Account", -1, 0)-instr(1,objItem.Message,"Account",0)) useraccount = mid(useraccount,16,len(useraccount)) dates = "Date: " & dday & "." & dmonth & "." & dyear & " - " & dhour & ":" & dmin & ":" & dsec users = mid(useraccount, 1,len(useraccount)-3) strFileOpen.WriteLine(dates & " - " & users & " lock the " & computer) End If 'System Shutdown If objItem.EventCode = 1100 Then dates = "Date: " & dday & "." & dmonth & "." & dyear & " - " & dhour & ":" & dmin & ":" & dsec strFileOpen.WriteLine(dates & " - " & computer & " is shuting down") End If 'Windows is starting up If objItem.EventCode = 4608 Then dates = "Date: " & dday & "." & dmonth & "." & dyear & " - " & dhour & ":" & dmin & ":" & dsec strFileOpen.WriteLine(dates & " - " & computer & " is Starting up") End If Next 'Confirms the script has completed and opens the file MsgBox("Work complete!") |