help identifying logged on user on PC

blastman · 15 Jul 2010 at 10:38

SiriusB said:
I take it these machines haven't fallen over yet?

The last time I err *cough* accidentally nuked a computer account I got an email half an hour later because a user couldn't log on.

no report yet.

My users have a habit of NEVER logging off.

They just lock the machines at night. I do keep asking them to restart but no-one listens....

If I can't sort this today, I'll just email the office telling everyone that if they don't restart their PC tonight all their work will be deleted from the server and then I should find the PC's when the user fails to login tomorrow morning.

Only downside is that if the machine is really old (5 years +) then there is a good chance we wont know what the local admin account is. Not a problem if a domain admin has logged in and I'll use the cached credentials with the network cable out.

SiriusB · 15 Jul 2010 at 11:02

Eww that sucks. It will be you they have a paddy at too if their is a power cut or their PC dies and their work goes *poof*.

You should use something like Powershell [or psshutdown from sysinternals again

] to remotely shutdown all the machines. I am quite certain users would get the hint the first time they ignore your warning to shutdown before they leave

blastman · 15 Jul 2010 at 11:22

SiriusB said:
Eww that sucks. It will be you they have a paddy at too if their is a power cut or their PC dies and their work goes *poof*.

You should use something like Powershell [or psshutdown from sysinternals again ] to remotely shutdown all the machines. I am quite certain users would get the hint the first time they ignore your warning to shutdown before they leave

True but I dont think my director would think the same

blastman · 15 Jul 2010 at 11:27

right, managed to find one of the machines user and sales persons desk.

4 to go

SiriusB · 15 Jul 2010 at 12:11

At this point I would just send out an email to the entire company asking everyone to check their computer name!

EDIT: Or check the asset tag if it is somewhere the user can see it.

blastman · 15 Jul 2010 at 12:30

SiriusB said:
At this point I would just send out an email to the entire company asking everyone to check their computer name!

EDIT: Or check the asset tag if it is somewhere the user can see it.

I just spent 20 minutes walking round and checking them all.

Can't find the other 4 PC's at all.

2 of them are pingable with an ip address that's local to my site!!

Must be about somewhere.....

SiriusB · 15 Jul 2010 at 12:55

Damnit!

OK, email everyone and tell em to relog. When you get 4 angry phonecalls you have your machines

blastman · 15 Jul 2010 at 13:22

SiriusB said:
Damnit!

OK, email everyone and tell em to relog. When you get 4 angry phonecalls you have your machines

tis done

cheers for all the advice guys

Ev0 · 15 Jul 2010 at 15:49

blastman said:
Yeah I've got something simlier but I seem to be having some issues with it. can you paste in a post for me and I'll give it a crack??

Sent an email to you via trust with the code, as said nto sure how good it'll be to you if the permissions are stuffed

blastman · 15 Jul 2010 at 16:02

Cheers for the script.

I've just had a look through it and sadly that wont work as is uses the remote registery to get the required data and I can't access that when the trust has failed.

Many thanks for the effort anyways

SiriusB · 17 Jul 2010 at 02:04

As a proof of concept - and for something to do - I decided to implement my logon/logoff script idea

I have two scripts.

logon.bat
Generates a random 15 character alphanumeric string called sessionid and then writes:
LOGON,%DATE% %TIME%,%USERNAME%,%COMPUTERNAME%,%sessionid% to a log on my server and also saves the sessionid to a temp file on the machine.

logoff.bat
This reads the saved session ID, and outputs almost identical info as above to the log, prefixed with LOGOFF instead.

The log file is all very pretty, but I went one step further - I wrote a Powershell script that parses the log file and generates logon session objects which I can query.

So now if I was ever in your situation [unlikely, home domain only has 4 machines!

] I can load up a PS console and type:

Code:

Get-LogonSessions -computer SFLAPTOP01

And I get something like below as the output:

Code:

Open            : False
LogonTime       : 16/07/2010 20:31:44.13
Computer        : SFLAPTOP01
User            : user1
SessionDuration : 0.69
SessionID       : GW0Wp8cWJcV78S8
LogoffTime      : 16/07/2010 21:13:17.34

Open            : False
LogonTime       : 16/07/2010 21:31:23.47
Computer        : SFLAPTOP01
User            : user2
SessionDuration : 1.42
SessionID       : IUEgvev0f4zJbH
LogoffTime      : 16/07/2010 22:56:30.33

Open            : True
LogonTime       : 17/07/2010  1:12:34
Computer        : SFLAPTOP01
User            : user3
SessionDuration : 0
SessionID       : BblPovm3QAT30ns
LogoffTime      :

From that I can see user3 was the last to log in to SFLAPTOP01, and since the session is still open they're very likely to be the last person using it

One command did what it has taken you several hours to do :eek:

It is not perfect - I have not decided how to handle missing LOGOFF events [i.e. computer crashes or server is unavailable to update the log etc] - but the theory is sound!

I originally tried to parse the Event Logs on the server, but it was really hard trying to decypher the logs as there was nothing to differentiate the different logon events [same ID for users, built-in users, type of logon etc].