I have created a pair of scripts that log when a user logs on and off to workstaions on a domain.

A basic overview of how the system works is as follows:

• A share located on an Active Directory server
• A logon script
• A logoff script
• Group Policy to launch the scripts

Setting up the system:

• Create a directory called AUDIT on a server, as it will only be containing plain text making it a compressed folder is quite beneficial.
• Create two folders within it, one called Computers and the other called Users. [fig.1]
• Share this folder as Audit [fig.2]
• Set the SHARE permissions as Everyone | Full Control [fig.3]
• Set the NTFS permissions as: [fig.4]
  • Administrators | Full Control
  • CREATOR OWNER | Special Permissions [fig.5]
  • SYSTEM | Full Control
  • Users | Write
• Compare your NTFS security with this CACLS output.  If it is different check the above steps. [fig.6]
• Edit Audit_Logon.bat and Audit_Logoff.bat to point to the newly created share on your server.
• Set-up the GPO to run the scripts for Users when they logon and logoff respectively.

Sit back and watch the text files fill up with nicely audited information.