help identifying logged on user on PC

blastman

blastman

blastman

Associate
Joined
8 Mar 2007
Posts
2,176
Location
between here and there
hey guys,

Someone from our other office has deleted a load of computer accounts from AD. I'm now seeing 5 entries in the DC event viewer for 'failed to authenticate' errors (NETLOGON 5805)

I'm guessing that these 5 machines are still on but the user has yet to log off so hasn't realized that their PC is off the domain.

Is there a way of finding out who is currently logged on so I go and see them and correct the problem BEFORE it fails??

I've tried mapping to the IP and PC name but get the 'the primary relationship failed between the target machine the the domain' error so can't see the users folder.

I've also tried using psloggon but that also fails as it is unable to read the registry of the remote PC.

Any suggestions???

Cheers in advance :)
 
hi,

thanks for the reply.

I can't map to the machines as thier not part of the domain.

I'll have a butchers at the tools now.
 
sadly no.

'the trust relationship between this workstation and the primary domain failed'

those windows tools, didn't work either :(
 
PistolPete said:
Do you know a local login on the machine (do the have the same local admin account for example?)

Create a login on the AD that matches the username and password of the local account and login with that new AD account - then try and query the remote machine with tools.
Click to expand...

Nice idea and I like your thinking but not all Pc's have the same local accounts on them. Most only have the local admin account so sadly, thats a none starter.

looks like I'll have to wait until the user complains to find out which machines they are.

All pc's are named according to thier asset tag number so I've asked fincance to provide the asset list and I'll see if that helps. Sadly, that'll only work if the asset list has been updated to track who currently has that peice of equipment.
 
Halfmad said:
Why not just do a restore of AD?
Click to expand...

not sure, I'll look in to it. cheers

optitech-uk said:
This is why it might have been a good idea to do naming the pc via the method of [site][room number][pc ID e.g A01/A02/A03]
then you wouldn't need the user logged on, you could have gone to the room as above (unless it gets moved without knowing!)

Don't you have a list of who access what machine? or do users move about?

What method do you deploy your workstation builds?
Click to expand...

I agree that the naming convention isn't great but thats what was started long before I starting working here so it's just been carried on.

Yes PC's and users get swapped about quite often.

Install windows, asset tag, add to domain with PC name same as asset tag, install relevant software depending on dept, setup under desk for user.


SiriusB said:
You could perhaps search through the security logs on the DC for Logon events [ID 4624] that use the IP of the
deleted computers. That's assuming you know the IPs of course. If you have the names then a simple ping <name> should give you them.

So you could get the list of IP addresses, then do a search for them.

Unfortunately you will get a lot of Events from each IP and not all of them will have an actual user. It is also quite tedious!

If you aren't able to give your computers a sensible name, you could always create [or modify] a login script with the line:

Code: 
echo %TIME% %DATE%:%USERNAME%:%COMPUTERNAME% >> \\server\aShare\user_session.txt

Then if you ever need to know where a computer is or who last logged in from there, you can just parse the file [or go through it manually].
Click to expand...


Not a bad idea. This would have course be subject to the fact that all end user machines get IP's dished out from DHCP, so might have changed. I'll look in to that.

As for the logon script. I don't think that is necessary. These machines are very old and I have already created a rather large logon script to map drive and printers depending on AD security groups.


chaosophy said:
Do you not know the local admin account and p/w?



Check with your network team, can they find out which switch/port the PC is on by IP address and then see where that is patched to?

Might even be worth sniffing the traffic, see if their user name gets sent when they try to authenticate to apps etc.
Click to expand...


The local admin password could be any of our old domain passwords. This has thrown into the light the need for a standard local admin password which I'll sort once these 5 machines are found and fixed.

As for checking the switches, I have looked at my distribution switches and they are all netgears fsm726's and I see nothing in the navigation to suggest I can see what IP's are using what ports.

Unless I'm missing something......

As for sniffing, I do have a PC that I used to sniff some traffic a while back but I have no hubs left to broadcast all the network traffic onto a single port to be sniffed. it broke :(
 
edit;

I've managed to find the MAC address of 2 of the PC's and i can search the switches for activity and their port numbers based on MAC addresses.

Nearly there!!! :) but with 12 disti switches this might take a while.....
 
Last edited:
Ev0 said:
hmm I've got a vb script I use that does a WMI query on a machine for the locally logged on user, but not sure if that'd work if your permissions are stuffed :/
Click to expand...

Yeah I've got something simlier but I seem to be having some issues with it. can you paste in a post for me and I'll give it a crack??


So far I've found two machines. Well, what i mean is I've found the switch and port number is on.......
 
SiriusB said:
Writing a few dozen characters to a file is not going to slow down your machines at logon. Plus the extra 5 nanoseconds it takes will save you the two days you have been tracking down these machines. ;)

A program by sysinternals called ADRestore may be able to restore the Computer accounts - I don't know if they work as before, as tombstoning causes some of the attributes to be lost.
Click to expand...

True, maybe I'm lazy. It might be worth considering once this has been sorted. ;)

Tbh, I've spent about an hour and a half on this so far. Other jobs keep walking through the door, plus I've got a software audit I'm doing, planning a roll out for laptop HDD encryption and gods knows what else is on my to do list.

Cheers for all the help so far guys :)
 
Last edited:
SiriusB said:
I take it these machines haven't fallen over yet?

The last time I err *cough* accidentally nuked a computer account I got an email half an hour later because a user couldn't log on.
Click to expand...

no report yet.

My users have a habit of NEVER logging off.

They just lock the machines at night. I do keep asking them to restart but no-one listens....


If I can't sort this today, I'll just email the office telling everyone that if they don't restart their PC tonight all their work will be deleted from the server and then I should find the PC's when the user fails to login tomorrow morning.

Only downside is that if the machine is really old (5 years +) then there is a good chance we wont know what the local admin account is. Not a problem if a domain admin has logged in and I'll use the cached credentials with the network cable out.
 
SiriusB said:
Eww that sucks. It will be you they have a paddy at too if their is a power cut or their PC dies and their work goes *poof*.

You should use something like Powershell [or psshutdown from sysinternals again :D] to remotely shutdown all the machines. I am quite certain users would get the hint the first time they ignore your warning to shutdown before they leave :D
Click to expand...

True but I dont think my director would think the same :)
 
SiriusB said:
At this point I would just send out an email to the entire company asking everyone to check their computer name! :p

EDIT: Or check the asset tag if it is somewhere the user can see it.
Click to expand...

I just spent 20 minutes walking round and checking them all.

Can't find the other 4 PC's at all.

2 of them are pingable with an ip address that's local to my site!!

Must be about somewhere.....
 
Cheers for the script.

I've just had a look through it and sadly that wont work as is uses the remote registery to get the required data and I can't access that when the trust has failed.

Many thanks for the effort anyways :)
 
You must log in or register to reply here.
Back
Top Bottom