Security Logon Audit Tool aka SLAT for SMS 2.0 and 2003
Use the original Security Logon Audit Tool to track where users are logging in. Some sample web reports are included which allow you to: Identify all systems a specific user has logged onto, List all users who have logged onto a specific system, identify the top users of systems, and identify systems where the top user is not the last logged on user.
Here is an updated version of SLAT thanks to my fellow MVP Rick Jones. This includes full SLAT source code for those that are curious. I have not tested this version and please remember that SLAT is not supported whatsoever by myself or Rick. SLAT is still free, and I have no plans to charge for it.
Here's the change history to give you an idea of the features Rick added to SLAT. Thank you Rick!
Change History;
* 1.2 Steve Bobosky Original coder
* 1.2.2 Rick Jones altered for Cingular Custom Use
* Moved argument processing into a cycle for being able to reference an
exclude file.
* The exclude file will contain a list of accounts to be excluded. This would
be for service accounts that produce entries but are not desired in the return
data.
* Changed exclude process to use a dictonary method and allowed for exclude
file contents
to be added to the dictonary.
* Added a process that checks the existing entries for the excluded list, if any are found then the table is reset.
* Moved logging to the SMS Client log as default. If the Client Log folder
can not be found from the registry then the temp folder is reverted too.
* Fixed entry where UserLogoninfoDataset.Fields. Append "LastUpdated" was using Date format but needed to be in string format.
* Added delay ability to script during the intensive event log processing.
* It can be specified at the command line, example /delay:300
* 1.2.3 'Added Extended User Groups option (Use /ExtendedGroups:on on the
command line).
* This will create a separate table containing the security groups for the
user.
* This is needed in an environment where the combined list of security groups will exceed the SMS maximum string length of 254 characters.
FAQ
Question: First for the background context;
I am relatively new to SMS and this is my first attempt at modifying the MOF file, so user error is a very likely possibility.
Anyway, my problem is that I am not able to generate reports from the UserLogonInfo data.
Each report gives an error of
‘Invalid object name 'v_GS_User_Logon_info0'.
Error Number: -2147217865
Source: Microsoft OLE DB Provider for SQL Server Native
Error: 208 I have looked in the SQL database and it doesn’t not appear that the v_GS_User_Logon_info0 view exists, nor do I see any tables that would correspond to it.
Answer: SLAT version 1.2 includes a new group capability to do a ldap to get a user's groups and add that to the wmi information.
You apparently aren't running with the /groupson switch, but you have groups listed at TRUE in the sms_Def.mof which is creating this error.
Question: Does the SMS User Logon Audit-Security Tool 1.2 capture all 528 events regardless of logon type?
One of our users is concerned about their account showing up as having logged on to another user’s workstation several times.
They know that they have never logged on to that workstation either interactively or with remote desktop.
This user fears that that their password has been compromised and is being used by someone else on that workstation.
Can these entries possibly be the result of a logon type 3 such as would occur when someone browses to a remote share or does this tool only look for interactive logon types? The security event log on that workstation has since been overwritten so there is no longer any way to verify this from the source.
Answer: Only 528 events are captured.
There is currently not any filtering beyond the 528 event type, so unlocking the computer also counts as a 'logon' event as far as SLAT is concerned.
| Logon Type | Description |
| 2 | Interactive (logon at keyboard and screen of system) |
| 3 | Network (i.e. connection to shared folder on this computer from elsewhere on network or IIS logon - Never logged by 528 on W2k and forward. See event 540) |
| 4 | Batch (i.e. scheduled task) |
| 5 | Service (Service startup) |
| 7 | Unlock (i.e. unnattended workstation with password protected screen saver) |
| 8 | NetworkCleartext (Logon with credentials sent in the clear text. Most often indicates a logon to IIS with "basic authentication") See this article for more information. |
| 9 | NewCredentials |
| 10 | RemoteInteractive (Terminal Services, Remote Desktop or Remote Assistance) |
| 11 | CachedInteractive (logon with cached domain credentials such as when logging on to a laptop when away from the network) |
Event 528 is logged whenever an account logs on to the local computer, except for in the event of network logons (see event 540).
Event 528 is logged whether the account used for logon is a local SAM account or a domain account. For an explanation of the Logon Type field, see Logon Types.For an explanation of the Logon Process field, see event 515. For an explanation of the Authentication Package field, see event 514.
Logon GUID is not documented. It is unclear what purpose the Caller User Name, Caller Process ID, and Transited Services fields serve.
Source Network Address corresponds to the IP address of the Workstation Name. Source Port is the TCP port of the workstation and has dubious value.
Question : Thank you for the use of the SMS - User Logon Audit-Security Tool. After reviewing the user logon info reported back into the SMS database, I noticed that the time in the LastUpdate and MostRecentEventDate were reported incorrectly. The LastUpdated time is 6 hours ahead (shows 10:41pm 3/28/2006 when inventory was actually run at 4:41pm 3/28/2006) and the MostRecentEventDate is 12 hours ahead (shows 4:21:00 AM 3/29/2006 when the last login event was at 4:21PM 3/28/2006).
Answer : This was resolved in SLAT version 1.2. Make sure you are running the latest version.
