force a logoff, audit machine use

DarkTXKnight

Senior member
Oct 3, 2001
933
0
71
Ive got someone who wants to have her business machine log out or lock atfre a certain amount of inactivity. She would also like to be able to audit when a user logs back on to that machine.This is a Win2K3 domain with XP workstations so I was thinking that maybe this could be done via global policy. how would I go about this??? Is there a way to audit someone unlocking a computer??

Thanks In Advance
 

nweaver

Diamond Member
Jan 21, 2001
6,813
1
0
Check event logs, I know it logs reboots, not sure about logins (perhaps create a login script that writes to the event viewer). The screensaver in XP can be set to lock when it activates. You can manage event logs remotely. Event combat is a program I use to do mass evaluations of multiple event logs.
 

DarkTXKnight

Senior member
Oct 3, 2001
933
0
71
well I know about the screensaver lock, but I don't beleive it will log that into an audit log when it's unlocked. Basically my problem is that I want to be able to tell when someone is on the computer after hours. I suppose the next best thing would be to write something that would maybe lof the machine off after x minutes between the hours of 6PM and 6AM. Then I could use the logon\logoff audit to record any activity between those hours. How do you think I could go about doing all this?

btw, I tried to google "event combat" and I can't find it... got a link??? :)
 

Woodie

Platinum Member
Mar 27, 2001
2,747
0
0
In order to "log" the events, you have to turn on certain audit settings on the DCs. Easy to do in a GPO. Use the same GPO to set your security event log appropriately. (2K3 DCs log a LOT of stuff!)

Forcing logoffs is an option on a per-user basis. In my experience, it doesn't work all that well (2K domain, XP clients). YMMV.

Locking the screen is a different GPO setting: It's under the User-Windows side, and should be configured. You may want to enforce this setting in your domain.

IIRC, screen unlocks do appear in the DC logs, and bad password guesses will go to the DC and lock the account. Normally, you can tell from the DC log if a user was left logged in overnight, because you'll contine to see 538/540 events about every two hours, as their kerberos tickets get refreshed. (That's also what you see during the day.) If you look at the detail codes in a 538/540, you can tell whether the logon is a client logon, a TS logon, and I *think* a screen unlock.
 

nweaver

Diamond Member
Jan 21, 2001
6,813
1
0
Not sure where I got it, and admin friend who worked with me had his "nt tools" with many nice utilities from Res kits, and the web. Check the 2000 resource kit, it may have it.

EDIT: just checked my version, it's copyright 2001 by MS, and the version is dated APr 18, 2003 (that may have been the install date on my system, though)

Check the 2K and 2k3 resource kits. There are sooo many cool tools hidden in therer.
 

DarkTXKnight

Senior member
Oct 3, 2001
933
0
71
Well this gives me a good opportunity to play with GPOs woodie as I have never implemented any. As long as there is a way that I can reasonably tell when someone is working on the mahcine and when theyre not it'll be alright
 

ITJunkie

Platinum Member
Apr 17, 2003
2,512
0
76
www.techange.com
GPO's are very powerful BUT I would be very careful in how you configure them. If you don't know a lot about them I would seriously recommend reading up on them before implementing. I have seen a GPO setting that seems "safe" break all sorts of things in a domain.
 

DarkTXKnight

Senior member
Oct 3, 2001
933
0
71
I agree there.... I have done a little reading and playing around but I would be grateful if you can recommend some sources for some proactive reading