Содержание

Windows logon and logoff
Start Using WinLogOnView
Command-Line Options
Аудит других событий входа и выхода Audit Other Logon/Logoff Events
How to track users logon/logoff
Summary
Option 1
Option 2
Working with startup, shutdown, logon, and logoff scripts using the Local Group Policy Editor
Introduction
Additional considerations
How to assign computer startup scripts
To assign computer startup scripts
Additional considerations
How to assign computer shutdown scripts
To assign computer shutdown scripts
Additional considerations
How to assign user logon scripts
To assign user logon scripts
Additional considerations
How to assign user logoff scripts
To assign user logoff scripts
Additional considerations

Windows logon and logoff

Start Using WinLogOnView

If you want to get the logon/logoff information of a remote computer on your network, simply go to the Advanced Options window (F9), choose ‘Remote Computer’ as data source, and then type the name of the remote computer to connect.
If you want to get the logon/logoff information from external disk, simply choose ‘External Disk’ as data source and then type the path of the event log (Usually located under C:\Windows\System32\winevt\Logs)

Command-Line Options

/Source	Specifies the type of data source. 1 = Local Computer, 2 = Remote Computer, 3 = External Disk
/Server	Specifies the remote computer to load. (For using with /Source 2 )
/ExternalFolder	Specifies the folder in external disk to load. (For using with /Source 3 )
/stext	Save the list of all logon sessions into a regular text file.
/stab	Save the list of all logon sessions into a tab-delimited text file.
/scomma	Save the list of all logon sessions into a comma-delimited text file (csv).
/stabular	Save the list of all logon sessions into a tabular text file.
/shtml	Save the list of all logon sessions into HTML file (Horizontal).
/sverhtml	Save the list of all logon sessions into HTML file (Vertical).
/sxml	Save the list of all logon sessions to XML file.
/sort	This command-line option can be used with other save options for sorting by the desired column. If you don’t specify this option, the list is sorted according to the last sort that you made from the user interface. The parameter can specify the column index (0 for the first column, 1 for the second column, and so on) or the name of the column, like «User Name» and «Logon Time». You can specify the ‘

‘ prefix character (e.g: «

User Name») if you want to sort in descending order. You can put multiple /sort in the command-line if you want to sort by multiple columns.

Аудит других событий входа и выхода Audit Other Logon/Logoff Events

Относится к: Applies to

Windows 10 Windows 10
Windows Server 2016 Windows Server 2016

Аудит других событий Logon/Logoff определяет, создает ли Windows события аудита для других событий логона или журналов. Audit Other Logon/Logoff Events determines whether Windows generates audit events for other logon or logoff events.

К числу других событий с логотипом или журналом относятся следующие: These other logon or logoff events include:

Сеанс удаленного рабочего стола подключается или отключается. A Remote Desktop session connects or disconnects.

Рабочие станции заблокированы или разблокированы. A workstation is locked or unlocked.

Заставку экрана вызывается или отклоняться. A screen saver is invoked or dismissed.

Обнаружена атака повтора. A replay attack is detected. Это событие указывает на то, что запрос Kerberos был дважды получен с идентичными сведениями. This event indicates that a Kerberos request was received twice with identical information. Это условие также может быть вызвано неправильной оценкой сети. This condition could also be caused by network misconfiguration.

Пользователю предоставляется доступ к беспроводной сети. A user is granted access to a wireless network. Это может быть учетная запись пользователя или учетная запись компьютера. It can be either a user account or the computer account.

Пользователю предоставляется доступ к проводной сети 802.1x. A user is granted access to a wired 802.1x network. Это может быть учетная запись пользователя или учетная запись компьютера. It can be either a user account or the computer account.

События Logon имеют важное значение для понимания активности пользователей и обнаружения потенциальных атак. Logon events are essential to understanding user activity and detecting potential attacks.

Объем событий: низкий. Event volume: Low.

Тип компьютера Computer Type	Общий успех General Success	Общий сбой General Failure	Более сильный успех Stronger Success	Более сильный сбой Stronger Failure	Комментарии Comments
Контроллер домена Domain Controller	Да Yes	Да Yes	Да Yes	Да Yes	Рекомендуется проверять успешность, отслеживать возможные атаки повтора Kerberos, подключение к сеансу терминала и отключение действий, событий проверки подлинности сети и некоторых других событий. We recommend Success auditing, to track possible Kerberos replay attacks, terminal session connect and disconnect actions, network authentication events, and some other events. Объем этих событий обычно очень низкий. Volume of these events is typically very low. События сбоя покажут, когда запрашиваемая делегация credSSP учетных данных была отсеяна политикой. Failure events will show you when requested credentials CredSSP delegation was disallowed by policy. Объем этих событий очень низкий— обычно вы не получите ни одного из этих событий. The volume of these events is very low—typically you will not get any of these events.
Сервер участника Member Server	Да Yes	Да Yes	Да Yes	Да Yes	Рекомендуется проверять успешность, отслеживать возможные сеансы подключения и отключения терминалов, событий проверки подлинности сети и некоторых других событий. We recommend Success auditing, to track possible terminal session connect and disconnect actions, network authentication events, and some other events. Объем этих событий обычно очень низкий. Volume of these events is typically very low. События сбоя покажут, когда запрашиваемая делегация credSSP учетных данных была отсеяна политикой. Failure events will show you when requested credentials CredSSP delegation was disallowed by policy. Объем этих событий очень низкий— обычно вы не получите ни одного из этих событий. The volume of these events is very low—typically you will not get any of these events.
Workstation Workstation	Да Yes	Да Yes	Да Yes	Да Yes	Рекомендуется проверять успешность, отслеживать возможные сеансы подключения и отключения терминалов, событий проверки подлинности сети и некоторых других событий. We recommend Success auditing, to track possible terminal session connect and disconnect actions, network authentication events, and some other events. Объем этих событий обычно очень низкий. Volume of these events is typically very low. События сбоя покажут, когда запрашиваемая делегация credSSP учетных данных была отсеяна политикой. Failure events will show you when requested credentials CredSSP delegation was disallowed by policy. Объем этих событий очень низкий— обычно вы не получите ни одного из этих событий. The volume of these events is very low—typically you will not get any of these events.

Список событий: Events List:

4649(S): обнаружена атака повтора. 4649(S): A replay attack was detected.

4778(S): сеанс был подключен к оконной станции. 4778(S): A session was reconnected to a Window Station.

4779(S): сеанс был отключен от оконной станции. 4779(S): A session was disconnected from a Window Station.

4800(S): рабочие станции были заблокированы. 4800(S): The workstation was locked.

4801(S). Рабочие станции были разблокированы. 4801(S): The workstation was unlocked.

4802(S): был вызван засверка экрана. 4802(S): The screen saver was invoked.

4803(S): заставку экрана была отклонена. 4803(S): The screen saver was dismissed.

5378(F): запрашиваемая делегация учетных данных была отсеяна политикой. 5378(F): The requested credentials delegation was disallowed by policy.

5632(S): был сделан запрос на проверку подлинности в беспроводной сети. 5632(S): A request was made to authenticate to a wireless network.

5633(S). Был сделан запрос на проверку подлинности в проводной сети. 5633(S): A request was made to authenticate to a wired network.

How to track users logon/logoff

This article describes how to track users logon/logoff.

Original product version: В Windows Server 2003
Original KB number: В 556015

This article was written by Yuval Sinay, Microsoft MVP.

Summary

The following article will help you to track users logon/logoff.

Option 1

Enable Auditing on the domain level by using Group Policy:

Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy

There are two types of auditing that address logging on, they are Audit Logon Events and Audit Account Logon Events.

Audit «logon events» records logons on the PC(s) targeted by the policy and the results appear in the Security Log on that PC(s).

Audit «Account Logon» Events tracks logons to the domain, and the results appear in the Security Log on domain controllers only.

Create a logon script on the required domain/OU/user account with the following content:

Create a logoff script on the required domain/OU/user account with the following content:

Please be aware that unauthorized users can change this scripts, due the requirement that the SHARENAME$ will be writeable by users.

Option 2

Use WMI/ADSI to query each domain controller for logon/logoff events.

Community Solutions Content Disclaimer

MICROSOFT CORPORATION AND/OR ITS RESPECTIVE SUPPLIERS MAKE NO REPRESENTATIONS ABOUT THE SUITABILITY, RELIABILITY, OR ACCURACY OF THE INFORMATION AND RELATED GRAPHICS CONTAINED HEREIN. ALL SUCH INFORMATION AND RELATED GRAPHICS ARE PROVIDED «AS IS» WITHOUT WARRANTY OF ANY KIND. MICROSOFT AND/OR ITS RESPECTIVE SUPPLIERS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS INFORMATION AND RELATED GRAPHICS, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, WORKMANLIKE EFFORT, TITLE AND NON-INFRINGEMENT. YOU SPECIFICALLY AGREE THAT IN NO EVENT SHALL MICROSOFT AND/OR ITS SUPPLIERS BE LIABLE FOR ANY DIRECT, INDIRECT, PUNITIVE, INCIDENTAL, SPECIAL, CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF USE, DATA OR PROFITS, ARISING OUT OF OR IN ANY WAY CONNECTED WITH THE USE OF OR INABILITY TO USE THE INFORMATION AND RELATED GRAPHICS CONTAINED HEREIN, WHETHER BASED ON CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY OR OTHERWISE, EVEN IF MICROSOFT OR ANY OF ITS SUPPLIERS HAS BEEN ADVISED OF THE POSSIBILITY OF DAMAGES.

Working with startup, shutdown, logon, and logoff scripts using the Local Group Policy Editor

This topic describes how to use the Local Group Policy Editor (gpedit) to manage four types of event-driven scripting files.

Introduction

Group Policy allows you to associate one or more scripting files with four triggered events:

You can use Windows PowerShell scripts, or author scripts in any other language supported by the client computer. Windows Script Host (WSH) supported languages are also used, including VBScript and Jscript. For more information about the editor, see Local Group Policy Editor.

Additional considerations

For more information about scripting, see the Group Policy Script Center (https://go.microsoft.com/fwlink/?LinkID=66013).

Local Group Policy Editor and the Resultant Set of Policy snap-in are available in Windows Server 2008 R2 and Windows 7 Professional, Windows 7 Ultimate, and Windows 7 Enterprise. For more information, see https://go.microsoft.com/fwlink/?LinkId=139815.

How to assign computer startup scripts

To assign computer startup scripts

Open the Local Group Policy Editor.

In the console tree, click Scripts (Startup/Shutdown). The path is Computer Configuration\Windows Settings\Scripts (Startup/Shutdown).

In the results pane, double-click Startup.

In the Startup Properties dialog box, click Add.

In the Add a Script dialog box, do the following:

In the Script Name box, type the path to the script, or click Browse to search for the script file in the Netlogon shared folder on the domain controller.

In the Script Parameters box, type any parameters that you want, the same way as you would type them on the command line. For example, if your script includes parameters called //logo (display banner) and //I (interactive mode), type //logo //I.

In the Startup Properties dialog box, specify the options that you want:

Startup Scripts for : Lists all the scripts that currently are assigned to the selected Group Policy object (GPO). If you assign multiple scripts, the scripts are processed in the order that you specify. To move a script up in the list, click it and then click Up. To move a script down in the list, click it and then click Down.

Add: Opens the Add a Script dialog box, where you can specify any additional scripts to use.

Edit: Opens the Edit Script dialog box, where you can modify script information, such as name and parameters.

Remove: Removes the selected script from the Startup Scripts list.

Show Files: Displays the script files that are stored in the selected GPO.

Additional considerations

To complete this procedure, you mustВ have Edit setting permission to edit a GPO. By default, members of the Domain Administrators security group, the Enterprise Administrators security group, or the Group Policy Creator Owners security groupВ have Edit setting permission to editВ a GPO.

Startup scripts are run under the Local System account, and they have the full rights that are associated with being able to run under the Local System account.

Beginning in WindowsВ Vista, startup scripts are run asynchronously, by default. This is a different behavior from earlier operating systems.

Setting startup scripts to run synchronously may cause the boot process to run slowly.

In WindowsВ 7 and WindowsВ Vista, startup scripts that are run asynchronously will not be visible. Enabling the Run Startup Scripts Visible policy setting will have no effect when running startup scripts asynchronously.

How to assign computer shutdown scripts

To assign computer shutdown scripts

Open the Local Group Policy Editor.

In the console tree, click Scripts (Startup/Shutdown). The path is Computer Configuration\Windows Settings\Scripts (Startup/Shutdown).

In the results pane, double-click Shutdown.

In the Shutdown Properties dialog box, click Add.

In the Add a Script dialog box, do the following:

In Script Name, type the path to the script, or click Browse to search for the script file in the Netlogon shared folder on the domain controller.

In Script Parameters, type any parameters that you want, the same way as you would type them on the command line. For example, if your script includes parameters called //logo (display banner) and //I (interactive mode), type //logo //I.

In the Shutdown Properties dialog box, specify the options that you want:

Shutdown Scripts for : Lists all the scripts that are currently assigned to the selected Group Policy object (GPO). If you assign multiple scripts, the scripts are processed in the order that you specify. To move a script up in the list, click it and then click Up. To move a script down in the list, click it and then click Down.

Add: Opens the Add a Script dialog box, where you can specify any additional scripts to use.

Edit: Opens the Edit Script dialog box, where you can modify script information, such as name and parameters.

Remove: Removes the selected script from the Shutdown Scripts list.

Show Files: Displays the script files that are stored in the selected GPO.

Additional considerations

Shutdown scripts are run as Local System, and they have the full rights that are associated with being able to run as Local System.

Setting shutdown scripts to run synchronously may cause the shutdown process to run slowly.

How to assign user logon scripts

To assign user logon scripts

Open the Local Group Policy Editor.

In the console tree, click Scripts (Logon/Logoff). The path is User Configuration\Windows Settings\Scripts (Logon/Logoff).

In the results pane, double-click Logon.

In the Logon Properties dialog box, click Add.

In the Add a Script dialog box, do the following:

In Script Name, type the path to the script, or click Browse to search for the script file in the Netlogon shared folder on the domain controller.

In the Logon Properties dialog box, specify the options that you want:

Logon Scripts for : Lists all the scripts that currently are assigned to the selected Group Policy object (GPO). If you assign multiple scripts, the scripts are processed in the order that you specify. To move a script up in the list, click it and then click Up. To move a script down in the list, click it and then click Down.

Add: Opens the Add a Script dialog box, where you can specify any additional scripts to use.

Edit: Opens the Edit Script dialog box, where you can modify script information, such as name and parameters.

Remove: Removes the selected script from the Logon Scripts list.

Show Files: Displays the script files that are stored in the selected GPO.

Additional considerations

Setting logon scripts to run synchronously may cause the logon process to run slowly.

Logon scripts are run as User, not Administrator, and their rights are limited accordingly.

How to assign user logoff scripts

To assign user logoff scripts

Open the Local Group Policy Editor.

In the console tree, click Scripts (Logon/Logoff). The path is User Configuration\Windows Settings\Scripts (Logon/Logoff).

In the results pane, double-click Logoff.

In the Logoff Properties dialog box, click Add.

In the Add a Script dialog box, do the following:

In Script Name, type the path to the script, or click Browse to search for the script file in the Netlogon shared folder on the domain controller.

In the Logoff Properties dialog box, specify the options the you want:

Logoff Scripts for : Lists all the scripts that currently are assigned to the selected Group Policy object (GPO). If you assign multiple scripts, the scripts are processed in the order that you specify. To move a script up in the list, click it and then click Up. To move a script down in the list, click it and then click Down.

Add: Opens the Add a Script dialog box, where you can specify any additional scripts to use.

Edit: Opens the Edit Script dialog box, where you can modify script information, such as name and parameters.

Remove: Removes the selected script from the Logoff Scripts list.

Show Files: Displays the script files that are stored in the selected GPO.

Additional considerations

Logoff scripts are run as User, not Administrator, and their rights are limited accordingly.

Setting logoff scripts to run synchronously may cause the logoff process to run slowly.