http://www.perlmonks.org?node_id=98482


in reply to monitor users on win32

Sys Admin aspects to think about:
How often will you run the script?
Watch your security log settings. Make sure retention doesn't overwrite its contents more often than your script runs. Make sure log file maximum size will support the amount of data.
Look how the logon and logoff Audit Policy is set. Will you charge for a failed logon (bad password, expired account, account locked out)? It can skew your data.

Win32::AdminMisc::UserGetMiscAttributes is yet another method for getting a user's last logon. It won't give as much information as the EventLog, but is quick and easy to implement.

use Win32::AdminMisc; use strict; my $userName = 'me'; # Or gather user list with module my @server = ('PDC', 'BDC', 'Member' ); #Or use other means foreach my $server(@server) { Win32::AdminMisc::UserGetMiscAttributes("\\\\$server", $userName, +\my %Hash); next if $Hash{USER_LAST_LOGON} == 0; # didn't logon print "Last authentication (logon) for $userName in $server was ". +localtime($Hash{USER_LAST_LOGON})."\n"; }