We help IT Professionals succeed at work.

How to know in which machine a a domain user is logged?

alsaeed_s
alsaeed_s asked
on
Medium Priority
257 Views
Last Modified: 2010-04-13
Hi all,

I have an NT domain with many users and Computers.

How to get name or address of the machine that a given user is currently logged-on?

Could any one help?
Comment
Watch Question

CERTIFIED EXPERT
Top Expert 2007

Commented:
I would take a look at the utilities in the NT resource kit and

http://www.sysinternals.com/
http://www.systemtools.com/
http://www.winternals.com
 www.bhs.com
http://www.sunbelt-software.com/search_category.cfm

One of them should help !

Other ways include using NBTstat to see NetBIOS names of computers,

Kixstart and WSH scripts can also be added to the DOMAIN login in script to gather this info to a text file  automatically, while loggin in.

I hope this helps !
CERTIFIED EXPERT

Commented:
alsaeed_s, try net view from a command prompt, or start | run on Win98 boxes.

As an example,

NET VIEW /YES


Dennis

Author

Commented:
I couldn't find this utility in the sites listed above.
Could any one help..
CERTIFIED EXPERT

Commented:
What utility, "NET VIEW" is included!

Author

Commented:
dew_associates,

NET VIEW /YES doesn't answer my question. It does not work as I want.

I want to give a user name and get the machine name that he/she is logged in. If this can be achieved using Net command, Please show me.

My pervious commend was for SysExpert not you. I should specify.

Thanks,
SAS
CERTIFIED EXPERT
Commented:
Here are three methods for you:

Windows NT Auditing
To determine from which system a user logged on with Windows NT Auditing, perform the following steps:

Start User Manager for Domains.
Click Audit from the Policies menu.
Click to enable Success for the Logon and Logoff category. Optionally, you may also select the Failure check box.

After the above procedure has been implemented, Windows NT will create an event log for each successful log on attempt. The log will appear like the example below:

   Date:     10/13/97  Event ID:  528
   Time:     10:32:11 AM  Source:  Security
   User:     JoeSmith  Type:  Success Audit
   Computer: MKTINGDOM  Category: Logon/Logoff

   Description:
   Logon/Logoff: Successful
   Logon User Name: JoeSmith
   Domain: MKTINGDOM
   Logon ID: (0x0, 0x2D0D0)
   Logon Type: 3
   Logon Process: User32 Authentication Pkg:
      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
   Workstation Name: \\WKS2

Network Monitor
To determine from which system a user logged on with Network Monitor, perform the following steps:
Capture all incoming traffic to the domain controller(s). In order to reduce the size of the captured data:


If possible, include only the Primary or Backup Domain Controller that is most likely to validate the intruder.
Set a capture filter, including only the server message block (SMB) protocol.

Configure a large enough memory buffer through the Buffer Settings option in the Capture menu.


After the data has been captured, set a display filter to only include:

Protocol: SMB
Property: Account Name
Relation: Exists

This will display all the initial SMB session setup containing the user name and the source media access control address.

For example:

Src Mac Addr: Dst Mac Addr: Description
WKS1          SUNKING       C session setup & X, Username = MariaH, and C
tree connect & X, Share = \\SUNKING\IPC$
WKS2          SUNKING       C session setup & X, Username = JoeSmith, and C
tree connect & X, Share = \\SUNKING\IPC$
WKS3          SUNKING       C session setup & X, Username = Administrator,
and C tree connect & X, Share = \\SUNKING\IPC$
In the example above, WKS1 is the computer where the user is logging on from, SUNKING is the domain controller authenticating the request, and the Description contains the Windows NT domain account being used.

NOTE: The Src Mac Addr may also been shown as a media access control or IP address if the NetBIOS name could not be resolved or the entry is not in the Network Monitor address database.

Using the WINS Database
To determine from which system a user logged on using the WINS database, perform the following steps:

Start WINS Manager.
Click Show Database on the Mappings menu.
Click Set Filter, type the user account name in the Computer Name criteria, and then click OK.

In the Mappings list, the entry with the user account name and the 03h identifier maps to the IP address of the workstation from which the user logged on to the domain.

Using the NetBIOS Remote Name Table
To determine from which system a user logged on using the NetBIOS Remote Name Table, perform the following steps:

From an MS-DOS command prompt, type the following, and then press Enter.

net send "text message"

where is the user account for the user you are attempting to locate.


Type the following, and then press Enter.

nbtstat -c


As in the example above using the WINS Database, locate the user name that is associated with the 03h identifier and the corresponding IP address is that of the workstation.

For more information, please refer to the following Microsoft Knowledge Base articles:

ARTICLE-ID: Q157238
TITLE : How to Activate Security Event Logging in Windows NT 4.0

ARTICLE-ID: Q173939
TITLE : How to Identify User Who Changed Administrator Password

ARTICLE-ID: Q140714
TITLE : Distinguishing Windows NT Audit Event Records

More..........

To determine which account is logged on to a local or
remote server or workstation, check out the following
utilities:

* PsLoggedOn ............. http://www.sysinternals.com/ntw2k/freeware/pstools.shtml
* Hyena .................. http://www.systemtools.com/hyena/
* NetUsers ............... http://www.systemtools.com/free_frame.htm
* NTinfo ................. http://members.tripod.com/%7Ewennstrom/ntinfo.htm
* TokenMon ............... http://www.sysinternals.com/ntw2k/source/tokenmon.shtml


For other ways of obtaining this information, see:

* http://support.microsoft.com/directory/article.asp?ID=KB;EN-US;Q175062
* http://www.windows2000faq.com/Articles/Index.cfm?ArticleID=14441
* http://www.windows2000faq.com/Articles/Index.cfm?ArticleID=15053
* http://www.windows2000faq.com/Articles/Index.cfm?ArticleID=14469
* http://www.jsiinc.com/SUBB/TIP0500/rh0595.htm
* http://www.jsiinc.com/SUBB/TIP0900/rh0981.htm


Also, if you have RCMD installed on the remote system, you
can open a remote console on that box and use PULIST with
no parameters to show all accounts which are active on
that box. The account holding the Explorer process will be
the currently logged on user.

Author

Commented:
dew_associates,
I really appreciate your full detailed answer. Thank you.

SAS
CERTIFIED EXPERT

Commented:
Glad I could help!

Explore More ContentExplore courses, solutions, and other research materials related to this topic.