There are many ways to log user activity on a domain. One of the ways that I prefer is to write user logon and logoff activity to plain text files on a network share. I used to do this via a .bat file, but recently rewrote the process using PowerShell.
Create a Shared Folder for your Scripts
Your first step is to create a shared folder on a server that is accessible by all users on a domain. All users/computers will require read/execute permission.
- e.g. \SERVER\Shared\Scripts\logon.ps1
- e.g. \SERVER\Shared\Scripts\logoff.ps1
Create Shared Folders for your Log Files
Also create the following shared folders that will hold your log files. All users will require write/modify permission (remove read/delete/etc). Your Help Desk and Domain Administrators should also have Read permission. We will write the exact same information to three folders, but use different folders and filenames to make this data easy to find.
- e.g. \SERVER\Shared\ActivityLogs\LogonLogoff\Computer\
- e.g. \SERVER\Shared\ActivityLogs\LogonLogoff\Date\
- e.g. \SERVER\Shared\ActivityLogs\LogonLogoff\User\
Create two PowerShell Scripts
This is my PowerShell Logon script (logon.ps1).
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 | # Record Logon information # Script written by Jason Pearce 2016 Dec (jasonpearce.com) # Purpose is to record Logon information (Username, Computername, and Date) to some log files # Clean and sortable date and time $DateYearMonthDay = Get-Date -Format "yyyy-MM-dd" $TimeHourMinuteSecond = Get-Date -Format "HH:mm:ss" # Target Folders $TargetFolderComputer = "\\SERVER\Shared\ActivityLogs\LogonLogoff\Computer\" $TargetFolderDate = "\\SERVER\Shared\ActivityLogs\LogonLogoff\Date\" $TargetFolderUser = "\\SERVER\Shared\ActivityLogs\LogonLogoff\User\" # Target Files $TargetFileComputer = $TargetFolderComputer + $env:computername + ".txt" $TargetFileDate = $TargetFolderDate + $DateYearMonthDay + ".txt" $TargetFileUser = $TargetFolderUser + $env:username + ".txt" # Create a new object array containing Date, Time, Computer, User, Action (logon or logoff) $obj = New-Object PSObject $obj | Add-Member -MemberType NoteProperty -Name "Date" -Value $DateYearMonthDay $obj | Add-Member -MemberType NoteProperty -Name "Time" -Value $TimeHourMinuteSecond $obj | Add-Member -MemberType NoteProperty -Name "Computer" -Value $env:computername $obj | Add-Member -MemberType NoteProperty -Name "User" -Value $env:username $obj | Add-Member -MemberType NoteProperty -Name "Action" -Value "Logon" # Write information to a few log files $obj | Export-CSV -Force -NoTypeInformation -Append $TargetFileComputer $obj | Export-CSV -Force -NoTypeInformation -Append $TargetFileDate $obj | Export-CSV -Force -NoTypeInformation -Append $TargetFileUser |
This is my PowerShell Logoff script (logoff.ps1).
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 | # Record Logoff information # Script written by Jason Pearce 2016 Dec (jasonpearce.com) # Purpose is to record Logon information (Username, Computername, and Date) to some log files # Clean and sortable date and time $DateYearMonthDay = Get-Date -Format "yyyy-MM-dd" $TimeHourMinuteSecond = Get-Date -Format "HH:mm:ss" # Target Folders $TargetFolderComputer = "\\SERVER\Shared\ActivityLogs\LogonLogoff\Computer\" $TargetFolderDate = "\\SERVER\Shared\ActivityLogs\LogonLogoff\Date\" $TargetFolderUser = "\\SERVER\Shared\ActivityLogs\LogonLogoff\User\" # Target Files $TargetFileComputer = $TargetFolderComputer + $env:computername + ".txt" $TargetFileDate = $TargetFolderDate + $DateYearMonthDay + ".txt" $TargetFileUser = $TargetFolderUser + $env:username + ".txt" # Create a new object array containing Date, Time, Computer, User, Action (logon or logoff) $obj = New-Object PSObject $obj | Add-Member -MemberType NoteProperty -Name "Date" -Value $DateYearMonthDay $obj | Add-Member -MemberType NoteProperty -Name "Time" -Value $TimeHourMinuteSecond $obj | Add-Member -MemberType NoteProperty -Name "Computer" -Value $env:computername $obj | Add-Member -MemberType NoteProperty -Name "User" -Value $env:username $obj | Add-Member -MemberType NoteProperty -Name "Action" -Value "Logoff" # Write information to a few log files $obj | Export-CSV -Force -NoTypeInformation -Append $TargetFileComputer $obj | Export-CSV -Force -NoTypeInformation -Append $TargetFileDate $obj | Export-CSV -Force -NoTypeInformation -Append $TargetFileUser |
Create a Group Policy that runs these scripts
On a domain controller, create and link a new Group Policy to the users you wish to target. Consider adding User Group Policy loopback processing mode, depending on how your OUs are organized and what you target.
- Create a new Group Policy named “Log Logon and Logoff via PowerShell”
- Go to “User Configuration > Policies > Windows Settings > Scripts”
- Edit Logon > PowerShell Scripts > Add > \SERVER\Shared\Scripts\logon.ps1
- Edit Logoff > PowerShell Scripts > Add > \SERVER\Shared\Scripts\logoff.ps1
Results
After your Group Policy has populated and some users have either logged on or logged off of machines, you’ll find some new files in your three log folders:
- e.g. \SERVER\Shared\ActivityLogs\LogonLogoff\Computer\COMPUTER1.txt
- e.g. \SERVER\Shared\ActivityLogs\LogonLogoff\Date\2017-12-26.txt
- e.g. \SERVER\Shared\ActivityLogs\LogonLogoff\User\USER1.txt
All three files will contain data that looks like this:
1 2 3 | "Date","Time","Computer","User","Action" "2016-12-25","16:12:17","COMPUTER-052","username","Logoff" "2016-12-26","08:02:22","COMPUTER-014","username","Logon" |
I like using three files because it is easier to find user activity by computer, date, or user; depending on your needs. After time — once a month — I zip and archive all of the data to start over with new log files.
I am having trouble adding to the list once it has been created. It works the first time once I build the list however, I ca not added subsequent logon log off entries. It just replaced the single entry with the new Information. Any ideas?
Are you sure you are using the “Append” option for “Export-CSV”? Otherwise, maybe switch to DOS formatting and use the two greater-than symbols.