Mike Hosker
All posts
Active Directory Scripts Security Windows Server

AD Login Logging

· Mike Hosker

In larger Active Directory environments — schools, offices with many workstations — knowing who logged in where and when can be invaluable for troubleshooting and auditing. Windows Event Logs capture this, but correlating them across hundreds of machines is painful. A logon script that writes to a central CSV is much easier to query.

This was deployed across a 200-workstation school network.

The Script

The script collects five pieces of data at login time and appends them as a CSV row to a network share.

@echo off

:: Collect login data
set "val1=%DATE%"
set "val2=%TIME%"
set "val3=%USERNAME%"
set "val4=%COMPUTERNAME%"

:: Get the IPv4 address
for /f "tokens=1-2 delims=:" %%a in ('ipconfig^|find "IPv4"') do set ip=%%b
set ip=%ip:~1%

:: Write to the log file
set "str=%val1%,%val2%,%val3%,%val4%,%ip%"
echo %str% >> \\server\LogShare\userlog.csv

NTFS Permissions — Critical

Users must not be able to read or modify the log file, or they could tamper with it. Set the NTFS permissions on userlog.csv as follows:

  • Domain UsersCreate files / write data only (append access, no read)
  • Domain Admins — Full Control
  • SYSTEM — Full Control

The >> redirect in the script appends to the file without needing read access, so this works correctly with append-only permissions.

Deployment

Add the script to the NETLOGON share and call it from the domain logon script:

:: In the main logon script (\\domain\NETLOGON\logon.bat)
call "\\domain\NETLOGON\log_login.bat"

Every login across every machine will append a row to the central CSV. Filter by username, computer, or date to find what you need.

Extending It

The AD Login Alerting post builds on this, adding email notifications when admin accounts log in.