Here's something i came up with to find when users are logging on and off of their machines. 

First we need to create a powershell script to find the actual info (i wish i wrote this, found it on the internet):


$UserProperty = @{n="User";e={(New-Object System.Security.Principal.SecurityIdentifier $_.ReplacementStrings[1]).Translate([System.Security.Principal.NTAccount])}}
$TypeProperty = @{n="Action";e={if($_.EventID -eq 7001) {"Logon"} else {"Logoff"}}}
$TimeProeprty = @{n="Time";e={$_.TimeGenerated}}
Get-EventLog System -Source Microsoft-Windows-Winlogon | select $UserProperty,$TypeProperty,$TimeProeprty


Save this as "get_logon_logoff.ps1"

Next create a new script in the K1000. 

Script type = Shell Script.

Upload the ps1 file as a dependency for the script.

Enter this for this script text.


IF NOT EXIST C:\windows\tvg (
mkdir c:\windows\tvg
powershell.exe -nologo -executionpolicy bypass -WindowStyle hidden -noprofile -file get_logon_logoff.ps1 > c:\windows\tvg\log.txt

Also make sure you change the script name from to script.bat.




Run this script on your test machine.

Next to actually see the information we'll create a custom inventory rule.

I called mine "Log on / Log off", but it doesn't really matter.

Whats important is the rule syntax:

ShellCommandTextReturn(cmd.exe /c type c:\windows\tvg\log.txt)

This is what it looks like when we're all done.

I hope this helps and you guys like it!

**post edit, in the script text there should only be one ">" instead of 2 (">>"). I corrected in the code but not the pic.