help identifying logged on user on PC

blastman

blastman

blastman

Associate
Joined
8 Mar 2007
Posts
2,176
Location
between here and there
hey guys,

Someone from our other office has deleted a load of computer accounts from AD. I'm now seeing 5 entries in the DC event viewer for 'failed to authenticate' errors (NETLOGON 5805)

I'm guessing that these 5 machines are still on but the user has yet to log off so hasn't realized that their PC is off the domain.

Is there a way of finding out who is currently logged on so I go and see them and correct the problem BEFORE it fails??

I've tried mapping to the IP and PC name but get the 'the primary relationship failed between the target machine the the domain' error so can't see the users folder.

I've also tried using psloggon but that also fails as it is unable to read the registry of the remote PC.

Any suggestions???

Cheers in advance :)
 
hi,

thanks for the reply.

I can't map to the machines as thier not part of the domain.

I'll have a butchers at the tools now.
 
You should still be able to connect to the machine via IP to c$ even if they're not on the domain so long as they're on the same network. Sounds like you might another problem going on there if that's the case.

I do it all the time with machines I've just imaged but not domain'd up.
 
sadly no.

'the trust relationship between this workstation and the primary domain failed'

those windows tools, didn't work either :(
 
Do you know a local login on the machine (do the have the same local admin account for example?)

Create a login on the AD that matches the username and password of the local account and login with that new AD account - then try and query the remote machine with tools.
 
PistolPete said:
Do you know a local login on the machine (do the have the same local admin account for example?)

Create a login on the AD that matches the username and password of the local account and login with that new AD account - then try and query the remote machine with tools.
Click to expand...

Nice idea and I like your thinking but not all Pc's have the same local accounts on them. Most only have the local admin account so sadly, thats a none starter.

looks like I'll have to wait until the user complains to find out which machines they are.

All pc's are named according to thier asset tag number so I've asked fincance to provide the asset list and I'll see if that helps. Sadly, that'll only work if the asset list has been updated to track who currently has that peice of equipment.
 
Why not just do a restore of AD?

Alternatively you could compare the clients on your DNS servers DNS list with those still in your AD, not ideal but it should show up the 5 missing.

Edit - just realised you know the PC names, just after the usernames! That's going to be bloomin hard without any local admin access :(
 
This is why it might have been a good idea to do naming the pc via the method of [site][room number][pc ID e.g A01/A02/A03] then you wouldn't need the user logged on, you could have gone to the room as above (unless it gets moved without knowing!)

Don't you have a list of who access what machine? or do users move about?

What method do you deploy your workstation builds?
 
Last edited:
You could perhaps search through the security logs on the DC for Logon events [ID 4624] that use the IP of the deleted computers. That's assuming you know the IPs of course. If you have the names then a simple ping <name> should give you them. So you could get the list of IP addresses, then do a search for them.

Unfortunately you will get a lot of Events from each IP and not all of them will have an actual user. It is also quite tedious!

If you aren't able to give your computers a sensible name, you could always create [or modify] a login script with the line:

Code: 
echo %TIME% %DATE%:%USERNAME%:%COMPUTERNAME% >> \\server\aShare\user_session.txt

Then if you ever need to know where a computer is or who last logged in from there, you can just parse the file [or go through it manually].
 
blastman said:
Most only have the local admin account
Click to expand...

Do you not know the local admin account and p/w?

blastman said:
All pc's are named according to thier asset tag number so I've asked fincance to provide the asset list and I'll see if that helps. Sadly, that'll only work if the asset list has been updated to track who currently has that peice of equipment.
Click to expand...

Check with your network team, can they find out which switch/port the PC is on by IP address and then see where that is patched to?

Might even be worth sniffing the traffic, see if their user name gets sent when they try to authenticate to apps etc.
 
Halfmad said:
Why not just do a restore of AD?
Click to expand...

not sure, I'll look in to it. cheers

optitech-uk said:
This is why it might have been a good idea to do naming the pc via the method of [site][room number][pc ID e.g A01/A02/A03]
then you wouldn't need the user logged on, you could have gone to the room as above (unless it gets moved without knowing!)

Don't you have a list of who access what machine? or do users move about?

What method do you deploy your workstation builds?
Click to expand...

I agree that the naming convention isn't great but thats what was started long before I starting working here so it's just been carried on.

Yes PC's and users get swapped about quite often.

Install windows, asset tag, add to domain with PC name same as asset tag, install relevant software depending on dept, setup under desk for user.


SiriusB said:
You could perhaps search through the security logs on the DC for Logon events [ID 4624] that use the IP of the
deleted computers. That's assuming you know the IPs of course. If you have the names then a simple ping <name> should give you them.

So you could get the list of IP addresses, then do a search for them.

Unfortunately you will get a lot of Events from each IP and not all of them will have an actual user. It is also quite tedious!

If you aren't able to give your computers a sensible name, you could always create [or modify] a login script with the line:

Code: 
echo %TIME% %DATE%:%USERNAME%:%COMPUTERNAME% >> \\server\aShare\user_session.txt

Then if you ever need to know where a computer is or who last logged in from there, you can just parse the file [or go through it manually].
Click to expand...


Not a bad idea. This would have course be subject to the fact that all end user machines get IP's dished out from DHCP, so might have changed. I'll look in to that.

As for the logon script. I don't think that is necessary. These machines are very old and I have already created a rather large logon script to map drive and printers depending on AD security groups.


chaosophy said:
Do you not know the local admin account and p/w?



Check with your network team, can they find out which switch/port the PC is on by IP address and then see where that is patched to?

Might even be worth sniffing the traffic, see if their user name gets sent when they try to authenticate to apps etc.
Click to expand...


The local admin password could be any of our old domain passwords. This has thrown into the light the need for a standard local admin password which I'll sort once these 5 machines are found and fixed.

As for checking the switches, I have looked at my distribution switches and they are all netgears fsm726's and I see nothing in the navigation to suggest I can see what IP's are using what ports.

Unless I'm missing something......

As for sniffing, I do have a PC that I used to sniff some traffic a while back but I have no hubs left to broadcast all the network traffic onto a single port to be sniffed. it broke :(
 
edit;

I've managed to find the MAC address of 2 of the PC's and i can search the switches for activity and their port numbers based on MAC addresses.

Nearly there!!! :) but with 12 disti switches this might take a while.....
 
Last edited:
hmm I've got a vb script I use that does a WMI query on a machine for the locally logged on user, but not sure if that'd work if your permissions are stuffed :/
 
Writing a few dozen characters to a file is not going to slow down your machines at logon. Plus the extra 5 nanoseconds it takes will save you the two days you have been tracking down these machines. ;)

A program by sysinternals called ADRestore may be able to restore the Computer accounts - I don't know if they work as before, as tombstoning causes some of the attributes to be lost.
 
Ev0 said:
hmm I've got a vb script I use that does a WMI query on a machine for the locally logged on user, but not sure if that'd work if your permissions are stuffed :/
Click to expand...

Yeah I've got something simlier but I seem to be having some issues with it. can you paste in a post for me and I'll give it a crack??


So far I've found two machines. Well, what i mean is I've found the switch and port number is on.......
 
SiriusB said:
Writing a few dozen characters to a file is not going to slow down your machines at logon. Plus the extra 5 nanoseconds it takes will save you the two days you have been tracking down these machines. ;)

A program by sysinternals called ADRestore may be able to restore the Computer accounts - I don't know if they work as before, as tombstoning causes some of the attributes to be lost.
Click to expand...

True, maybe I'm lazy. It might be worth considering once this has been sorted. ;)

Tbh, I've spent about an hour and a half on this so far. Other jobs keep walking through the door, plus I've got a software audit I'm doing, planning a roll out for laptop HDD encryption and gods knows what else is on my to do list.

Cheers for all the help so far guys :)
 
Last edited:
I take it these machines haven't fallen over yet?

The last time I err *cough* accidently nuked a computer account I got an email half an hour later because a user couldn't log on.
 
You must log in or register to reply here.
Back
Top Bottom