Track Domain User Logons and Logoffs

From: Bruno Mendonça (anonymous_at_discussions.microsoft.com)
Date: 06/03/04

• Next message: bruce barker: "Re: IE on Mac"
• Previous message: John Saunders: "Re: I need a good solution ASAP!"
• Next in thread: John Saunders: "Re: Track Domain User Logons and Logoffs"
• Reply: John Saunders: "Re: Track Domain User Logons and Logoffs"
• Messages sorted by: [ date ] [ thread ]

Date: Thu, 3 Jun 2004 10:26:13 -0700

My boss asked me to build a program to create a report
with logon/logoff events for all users within our windows
domain. I'm using .Net to do so and decided to have a
program running on the Domain Controler to listen to all
new events and send them to a database. This last part I
haven't worked on yet, cause I can't tell which events are
relevant to write to the db and which are not.

I have managed to listen to all the security log events on
the DC with the following code:

        ManagementEventWatcher1.Query = New
System.Management.EventQuery("SELECT * FROM
__InstanceCreationEvent WITHIN 60 WHERE TargetInstance
ISA ""Win32_N" & _
        "TLogEvent"" and TargetInstance.Logfile
= ""Security""")
        ManagementEventWatcher1.Scope = New
System.Management.ManagementScope("\\sededc01\root\CIMV2")

        Dim handler As New MyHandler

        AddHandler ManagementEventWatcher1.EventArrived,
AddressOf handler.Arrived

        ' Start watching for events
        ManagementEventWatcher1.Start()

This next Sub send the information of each event to the
output window of vb.Net:

    Public Class MyHandler
        Public Sub Arrived(ByVal sender As Object, ByVal e
As EventArrivedEventArgs)
            Dim mbo As ManagementBaseObject

            If Not IsDBNull(e.NewEvent.Properties
("TargetInstance")) Then
                mbo = CType(e.NewEvent.Properties
("TargetInstance").Value, ManagementBaseObject)

                If Not IsDBNull(mbo.Properties
("Message").Value) Then
                    Console.WriteLine(mbo.Properties
("Message").Value)
                    Console.WriteLine(mbo.Properties
("ComputerName").Value)
                    Console.WriteLine(mbo.Properties
("Category").Value)
                    Console.WriteLine(mbo.Properties
("EventCode").Value)
                    Console.WriteLine(mbo.Properties
("User").Value)
                End If
            End If
        End Sub
    End Class

My problem is how to interpret the events. There's new
events every second, tons of them. And I'm sure we don't
have people login on or off every second. Even if I limit
my query to TargetInstance.EventCode = "538", I still get
lots of events being generated, with very similar messages.

Here are some output examples:

Message: Successful Network Logon:
         User Name: CML2817$
         Domain: CMLOURES
         Logon ID: (0x0,0xED81BD)
         Logon Type: 3
         Logon Process: Kerberos
         Authentication Package: Kerberos
         Workstation Name:
Computer: SEDEDC02
Category: 2
EventCode: 540
User: CMLOURES\CML2817$

CML2817$ is not a user, it's a computer of the domain. If
this was a logon, who is the user?

Message: User Logoff:
         User Name: CML298$
         Domain: CMLOURES
         Logon ID: (0x0,0xED81D4)
         Logon Type: 3
Computer: SEDEDC02
Category: 2
EventCode: 538
User: CMLOURES\CML298$

If this was a logoff, who is the user?

Is there any way to be sure that one specific event really
is a logon (or logoff) to a computer, to what computer and
what user did it?

Bruno

• Next message: bruce barker: "Re: IE on Mac"
• Previous message: John Saunders: "Re: I need a good solution ASAP!"
• Next in thread: John Saunders: "Re: Track Domain User Logons and Logoffs"
• Reply: John Saunders: "Re: Track Domain User Logons and Logoffs"
• Messages sorted by: [ date ] [ thread ]

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint