Kaseya Community

Script to enable user logon audit

  • Does anyone know of a script to enable a stand alone pc user logon auditing? Perhaps via a registry entry.

    Remote stand alone pc users need to be audited for their login & logout times.

    I would think the event log would show login & logout times. If there was an email alert for this would be great/or a report for it.

    TIA

    Legacy Forum Name: Script to enable user logon audit,
    Legacy Posted By Username: shickey
  • This is really a policy setting for the security log to actually audit the logon/off successes. Once that is enabled, you should receive the events in the event log.

    Not sure of how to go about that with a script, but I'm not sure you even need one for this.

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: rhayes@expertnetsolutions.com
  • Tons of TIDS on setting it up manually, but looking for a script to make changes to the registry to enable user logon auditing for remote stand alone user machines. Most of them RDP into main office, but, client wants to know when the remote users are logging into the local machines in the mornings and when are they logging off at night. If I can get this enabled, I can pull it thru the event log. I can check the RDP logins, but users claim they are logging in in the mornings and the client does not think so and would like a log file to see when and if the users are logging in.

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: shickey
  • Again, getting the Security events to fire on success/failure for the remote machines is what you need.
    I am not familiar with some registry setting to turn this on. I know there is a resource kit tool - Auditpol that can be used to do this from a script.

    Are these remote machines monitored (i.e. running a Kaseya agent)? If so, then it's just going to be 1) enable the security auditing 2) monitor the security event logs

    Your other option is to put a batch script (or app of your choice) into their startup. This script/app could simply append a date and time to a log file. Then you could get that file as needed and review the information.

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: rhayes@expertnetsolutions.com
  • You are correct, the security events need to be enabled. But, looking for a script to enable them via the VSA.

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: shickey
  • Yes, I'm not sure of any registry setting (I'm sure there is one), but the Auditpol utility should provide the means to turn it on.

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: rhayes@expertnetsolutions.com
  • I am looking for this as well. I wish to monitor a specific account, and would loike a notification when it logs onto the network (auditing to event viewer enabled). How can I script this? Keep in mind, and am very new to scripting.

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: clomele
  • This thread has surfaced two different needs. One was to turn on auditiing the other was to monitor account login.
    If you have auditing turned on (for login success events), then you can easily set up a monitor to let you know when an account logs in or out.
    No script necessary.

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: rhayes@expertnetsolutions.com
  • If you can achieve this with a policy, doesn't that just set a registry key in the background?

    Get RegMon and monitor the changes while you are setting up the policy - that should reveal which registry keys you need - then just create a Kaseya script to set the registry keys.

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: djmundy
  • Several people keep posting that a script isn't necessary. Perhaps they haven't read the thread. The question is given that Security Audits are not enabled by default, how can we enable them via a script.

    I would also like to know. We have a client with no domain or server and so all audits will have to be done through local security policy. We want a script that will enable the audits and then we can monitor them through the Monitor tab in Kaseya.

    If anyone figures this out please post it.

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: emersonlenon
  • I've coded in VBS for a few years now. Once I checked into using VBS to create/change group/local polices but found no way to do it. Plenty of information out there on reading them but not changing. But I think I may another way. I haven't tried it but I think it may fit the request. It's call secedit and it's a Microsoft utility http://technet.microsoft.com/en-us/library/bb490997.aspx. Let me know if it helps.

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: connectex
  • When you install the Group Policy Management Console, I think it puts some VBS files into the app's program files directory that allow you to manipulate GPO's.

    Michael

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: RCS-Michael
  • We have a client with out a domain. They have a policy that requires them to audit login/logout and file access. This can be turned on in the local security policy, but we want a way to remotely enforce it, say through a script.
    Editing the GPO's does us no good.

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: emersonlenon
  • Based on the link to the secedit info above I came up with the following strategy. We will try it out and post the results here.

    1. Configure a machine as wanted via secpol.msc
    2. export it by running the following:
    secedit /export /cfg c:\filename
    3. copy that file to the managed files on the Kserver
    4. create a script in kaseya that copies the file to the temp dir and runs:
    secedit /import /cfg tempdir\filename /quiet

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: emersonlenon
  • bothoff.txt
    I have attached .reg files with the changes made when modifying the user logon policy.

    hklm\security\policy\poladtev

    If you want to view the keys you will have to give yourself permission, otherwise it's restricted to only the system.

    I've attached files for each of the configurations of this, audit none, audit success only, audit failure only, audit both. Created from WinXP SP3.

    Hope this helps

    Kenny

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: kroberts210