Windows Server 2016 – Tracking user logins with Logon/Logoff scripts

File Management Commands in Linux

I have been working with RDS since before it was called RDS, and something that absolutely every single customer asks for is the ability to report on which users are connecting to which RDSH servers. Ideally, they would like to be able to see, historically, a list of people logging in, and sometimes even some data about when the user logged off the server as well. The only information I have ever found natively inside Windows that can help with this information gathering is the Windows Security Event Logs, but those are extremely messy to try and weed through to find what you are looking for. It’s definitely not worth the hassle. So what’s the solution here? The easiest way I have found to record login and logout information is to build and utilize some scripts that will run during every user logon and logoff. This is quite simple to do on each of your RDSH servers; let’s give it a try together so you can have an idea of what I typically do, and then you can adjust from there based on your specific needs.

Getting ready

Here, we are going to build a couple of scripts on our RDS1 server, which is a Remote Desktop Session Host. Everything we will do is right on this Windows Server 2016 box.

How to do it…

Follow these steps to start recording information about user logins on your RDSH servers:

  1. Log into RDS1 and create a new batch file. We are going to utilize good old batch file scripts, but you could also create something with PowerShell to accomplish the same function. I find, however, that a single line of code inside a batch file does the trick quite well. I have created the following script on mine: C:\Reporting\Logon.bat
  2. Now right-click on that script, and choose Edit in order to open it up in Notepad.
  1. Input the following text:
      Echo %date%,%time%,%username%,%computername% >> 
  1. Now you need to copy your logon script and place it inside the following folder: C:\Windows\System32\grouppolicy\user\scripts\logon.
You may have to create this folder structure if it doesn’t already exist.
  1. Now open up gpedit.msc and navigate to User Configuration | Windows Settings | Scripts (Logon/Logoff). Go ahead and specify your Logon script here:
  1. With this single command, we are logging quite a bit of data into the Logons.txt file: the current date, time, user’s login name, and the RDSH server name they are logging into. Go ahead and log in to RDS1 a few times with different user accounts, and then open up this text file. You can see some information now being logged:

I typically use commas to separate the pieces of data so that this text file can be imported into Excel later to be further manipulated and categorized.

Alternatively, you could utilize two separate batch files, one for logons, and one for logoffs. I like this method because we can also split up the logging into multiple smaller text files, one for each username. Then we can see very quickly all the times that each username logged in and logged out. Here is an example of how to accomplish that:

  1. Logon script: Echo LOGON,%date%,%time%,%username%,%computername% >> "C:\Reporting\%username%.log".
  2. Logoff script: Echo LOGOFF,%date%,%time%,%username%,%computername% >> "C:\Reporting\%username%.log".
  3. Place your new Logon script inside C:\Windows\System32\grouppolicy\user\scripts\logon.
  4. Place your new Logoff script inside C:\Windows\System32\grouppolicy\user\scripts\logoff.
  5. Inside gpedit.msc, make sure that you incorporate both the Logon and Logoff scripts. These are in the same location we visited before.
  1. Once your logon and logoff scripts are copied into the right places and specified inside gpedit, you can start logging in and out of your RDS1 server. After a few attempts, take a look inside the C:\Reporting folder. Now we have multiple text files listed here, one for each username. Inside each text file we can see timestamps for both logons and logoffs that were performed by that user. It’s pretty neat data collection for how simple those scripts are!

How it works…

We can utilize some very simple logon and logoff scripts on RDSH servers in order to generate reporting information about who is logging in, where they are logging in, and at what times they are coming and leaving. Incorporating these reporting scripts onto each of your RDSH servers and then having them all report to a central location can greatly improve your ability to generate user accounting information. This is a common question among those utilizing RDS, and hopefully you can take this information and build on top of it further to gather whatever info is important to your organization.

Comments are closed.