I have created a pair of scripts that log when a user logs on and off to workstaions on a domain.

A basic overview of how the system works is as follows:

• A share located on an Active Directory server
• A logon script
• A logoff script
• Group Policy to launch the scripts

Setting up the system:

• Create a directory called AUDIT on a server, as it will only be containing plain text making it a compressed folder is quite beneficial.
• Create two folders within it, one called Computers and the other called Users. [fig.1]
• Share this folder as Audit [fig.2]
• Set the SHARE permissions as Everyone | Full Control [fig.3]
• Set the NTFS permissions as: [fig.4]
  • Administrators | Full Control
  • CREATOR OWNER | Special Permissions [fig.5]
  • SYSTEM | Full Control
  • Users | Write
• Compare your NTFS security with this CACLS output.  If it is different check the above steps. [fig.6]
• Edit Audit_Logon.bat and Audit_Logoff.bat to point to the newly created share on your server.
• Set-up the GPO to run the scripts for Users when they logon and logoff respectively.

Sit back and watch the text files fill up with nicely audited information.

I have recently implemented a RSA SecurID infrastructure to provide secure two-factor authentication over both local login to servers and workstations and also EAP VPN authentication.  This was initially using SID700 tokens and worked brilliantly.  Since then we have purchased a number of SID800 tokens which have USB connectors built-in to automatically passthrough the code on the display.

Unfortunatly I have been unable to get them to fully integrate with the logon GINA and still allow full VPN EAP support, until now!

There is not a lot of documentation around doing this with the SID800 tokens so below is the highlevel overview of what I have installed to get them to work, in order:

• Microsoft USB CCID hardware drivers
• RSA Authentication Agent 6.1
• RSA Authentication Agent 6.1.2 patch
• RSA Authenticator Utility

If anyone would like further details please drop me an email and I will do my best to help you out.

In May Microsoft released Service Pack 3 for Microsoft ISA Server 2004, when I attempted to install this update it would bring the firewall down and the service could not be restated.  It would result in leaving mixed components on the ISA Server, causing the service startup to fail.  I have now managed to apply this service pack without issue.  Below is the method that I used:

• Download Service Pack 3 from the Microsoft ISA Download Site for your ISA 2004 edition
• Disable caching, it can be re-enabled once the update it complete
• Make sure all ISA UI are closed and no other ISA utilities are in use
• Install SP3 using this command line:
  • Msiexec /p <FullPathToSP3Package> REINSTALL=all REINSTALLMODE=omus SKIP_DIAGLOGACLS=1 /l*v C:\ISAsp3.log

If this still fails, re-apply SP2 to get get the ISA service operational again.

There is a known issue that if you use a non-BMP wallpaper in a roaming profile using Microsoft Windows, it will not roam with the user.  To resolve this I created a script that when used as a logoff script, it will enable the wallpaper to roam.

MoveJPGWallpaper.vbs

Further to this I would highly recommend that you implement the User Profile Hive Cleanup Service which is a free download from Microsoft.com.  The User Profile Hive Cleanup service helps to ensure user sessions are completely terminated when a user logs off. System processes and applications occasionally maintain connections to registry keys in the user profile after a user logs off. In those cases the user session is prevented from completely ending. This can result in problems when using Roaming User Profiles in a server environment or when using locked profiles as implemented through the Shared Computer Toolkit for Windows XP.

I would also recommend that you use the Microsoft Group Policy Management Console (GPMC) as this will give you a far greater level of control over your GPO’s.