Active Directory tool to determine where a user is logged on

Good morining all.  We are having a Win2K Active Directory seemingly random account lockout problem. In most cases we have traced the culprit to the user being locally logged onto multiple workstations or servers at the same time.

Question:  Does anyone know of a built in active directory utility or command line tool that will enable us to enter a user ID and return every workstation or server the user is logged onto in the domain??

Thanks in advance!!
Who is Participating?
srachuiConnect With a Mentor Commented:
One way you could get some information is to populate the 'managedBy' field of all your workstations, which would create a linked attributed to your 'managedObjects' attribute on users.  Then, you could search your user object in ADSIEdit and look up the 'managedObjects' attribute to see which workstations he is managing (I'd recommend a startup script on workstations to populate this attribute).  This isn't perfect, but if he's managing more than one workstation, it's a start.

Also, you need to look for the 644 Event on a Domain Controller in the Security Log, which will tell you specifically which workstation caused the lockout of the account.  It's sort of hard to locate if you don't have a script helping you know the exact DC and time of the lockout (thus the need for a program), but if you don't have one, you can filter your DCs and just look for Event ID 644.  Reading through those and looking for the user account that's been locked out, you can see which workstation the lockout is being generated on.
The only tool that I've ever seen do this is goverLAN from PJ Teshnologies,  Not to say that other utilities don't, but goverLAN will work.  There is a demo version that should get you out of your predicament.
JrAdminAuthor Commented:
srachui it's not really what I wanted to hear, but your answer does confirm that there is not one nice command or Active Directory utility that I could punch the user id into.  I don't really want to have to install a client on every machine.  Right now we check the log files on the DCs to find out where an individual is logged on.  i was hoping for an easier way.  Oh well...thanks!
All Courses

From novice to tech pro — start learning today.