Friday, March 8, 2013

Determine number of unique interactive logons and export a list of unique user IDs

Background
Use to determine interactive logon information for any Windows computer (I use on servers running Remote Desktop Services / Terminal Services)

Prep
  • Download EventCombMT.EXE, part of the Account Lockout Tools
  • Create the PostEventCombMt.CMD script below

Perform the export
1. Run EventCombMt.EXE against the target servers. Filter for the following:
  • Windows 2003: Event ID 528
  • Windows 2008: Event ID 4648
  • Security log
  • Success audit


2. Drop the PostEventCombMt.CMD script in the folder with the .LOG files and run PostEventCombMt.CMD

3. Import / open the output file in Excel. Specify a semicolon delimited file.

4. Copy the Domain\Username column and paste into a new worksheet

 
5. Use Advanced filter to filter the list in place showing only unique records. This will hide rows with duplicate user names


6. Re-select the Domain\Username field, copy, then paste into a new worksheet. This should paste only unique user names

 
7. Result:
- List of unique logon IDs / user names
- CTRL+End takes you to the bottom of the list. The row number is the number of unique logons
- If you sort the original worksheet by date, you have an approximate timeframe


PostEventCombMt.CMD Script

@echo off
 

:Start

   CLS
   Echo.
   Echo Script will reformat EventCombMT output to a semicolon-delimited
   Echo format importable to Excel
   Echo.
   Echo Date field is imported to true Excel date field
   Echo Time field is imported to true Excel time field
   Echo Description field is preserved / unmodified
   Echo.
   Echo Run in directory where *_LOG.TXT files exist
   Echo.
   Echo.
   Echo.
   Pause

   for /f "tokens=1-8 delims=:/. " %%a in ('echo %date% %time%') do set LogFile=%%d-%%b-%%c_%%e-%%f-%%g.log

   Echo Server Name;Event ID;Event Type;Event Source;Date;Time;User;Description>"%LogFile%"
   for /f "tokens=1* delims=-" %%x in ('dir /b *_log.txt') do @echo %%x & for /f "tokens=1-10* delims=," %%m in (%%x-%%y) do for /f "tokens=1-7 delims=: " %%a in ("%%p") do @echo %%x;%%m;%%n;%%o;%%b %%c, %%g;%%d:%%e:%%f;%%q;%%r>>"%LogFile%"

:End
   Echo %Date% %Time%
   Echo Script ran to completion
   Pause