?
Solved

How to find out where a user is logged in

Posted on 2003-03-12
17
Medium Priority
?
453 Views
Last Modified: 2012-06-21
I am an admin for a domain with about 500 users and at least once a week we get someone logged on at 2 different workstations and then change there password which then gets locked out over and over again.  They sware they are not logged in anywhere else but everytime that is what turns out to be true.  Is there a tool to search the domain and find where a userid is logged in?
0
Comment
Question by:MCSEDanny
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 2
  • +5
17 Comments
 
LVL 1

Expert Comment

by:tc982
ID: 8119057
No,

But there are possibilities to see when a user has been logged in, and where on wich machine.

You'll have to do this with an KiX Script. Check out www.scriptlogic.com for a good program, you can use it for 14 days as shareware.

Also , you can download free KiX scripts!

I do not have a working example right now, but I think a customer of mine still have one, I'll be able to retrieve it if you do not mind to wait. ( I will not be there for another month! )

Hope that I helped!
0
 

Expert Comment

by:0utsyder
ID: 8119514
right click on My Computer | Manage | (If you are not on your primary server then you need to right click on "Computer Management" and "connect to another computer" and select it under your domain) System Tools | Shared Folders | Sessions. This will show you the username and the machine that username is logged into. Not as quick and Neat as ScriptLogic but it gets the job done.
0
 
LVL 1

Expert Comment

by:tc982
ID: 8119573
true,

But to log a user for a longer period it is better to do it with the logon script!!

But hey, you are right!
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 

Expert Comment

by:0utsyder
ID: 8119615
right click on My Computer | Manage | (If you are not on your primary server then you need to right click on "Computer Management" and "connect to another computer" and select it under your domain) System Tools | Shared Folders | Sessions. This will show you the username and the machine that username is logged into. Not as quick and Neat as ScriptLogic but it gets the job done.
0
 

Expert Comment

by:john_demerjian
ID: 8119746
TC is right, there is no tool to do this.  That's why you will want to create your own and you can use my script as a base.  My script currently finds HOST NAME and the DOMAIN the host is on by using the NBTSCAN utility.  It can easily be modified to find user name and the computer they are on.  Download the NBTSCAN tool which is readily available on the Internet.  Get familiar with it and then use my script to run that scanner and capture the output.

By scanning every system on the network you can see which user is logged on to which system.  The scanner shows the netbios name of a logged on user account like this:
JDEMERJI         <03>             UNIQUE

So when you scan your network and dump all results to a text file, a crude method of achieving your goal is to simply search the text file for occurances of the user name.  A more elegant approach would be to pass a variable to the script as the name you were trying to find and have the script display only matches.  If you make something cool, be sure to get it back to me so I can check it out.  Good luck! (script below - past into notepad and save as something.bat)

john_demerjian@bmc.com
"Begin with the end in mind"


rem @echo off

REM *** SCAN NETWORK FOR ALL WINDOWS COMPUTERS AND LOG THEIR NAMES AND DOMAINS TO A TEXT FILE.

for /f "tokens=1-3" %%i in ('nbtscan -v 172.31.4.1-254 ^| findstr /i /c:"<00>"') do ( if %%k==UNIQUE (call :store_hn %%i) else (call :print_both %%i) )
for /f "tokens=1-3" %%i in ('nbtscan -v 172.31.5.1-254 ^| findstr /i /c:"<00>"') do ( if %%k==UNIQUE (call :store_hn %%i) else (call :print_both %%i) )


goto EOF

:store_hn
set HNAME=%1
goto EOF

:print_both
echo Hostname is %HNAME% and Domain is %1 >>output.txt
goto EOF

:EOF
0
 
LVL 7

Expert Comment

by:YarnoSG
ID: 8120780
We did the following, and now we can find where a user has been:
First we created a wide open, hidden share
\\Server\Share$
Then we added the following to everybody's login scripts
@ECHO %USERNAME% > \\server\share$\%COMPUTERNAME%_%USERNAME%_%USERDOMAIN%

This creates a bunch of files in this share, essentially a database where the filename is the data.

We can query on this data:
By username, machine name, and domain.  Here is the username query with %1 being the username:
ECHO.
ECHO You may also want to check these systems that the user has recently logged into:
for /f "tokens=*" %%i in ('dir \\server\share$\*%1*. 2^>^&1') do set errfound=%%i
If /i "File Not Found"=="%errfound%" goto :notfoundindir
for /f "tokens=1 delims=_ "  %%i in ('dir \\server\share$\*%1*. /b') do @echo %%i
goto :EOF
:NotfoundInDir
echo.
echo OR NOT.
echo.
echo It seems this user was not found in the user directory, Please check %1's login script
________________________

After about a week after adding this to the login script, we had 2000 entries in the "database", each adding a possible user/machine combination.  2 months later, we have over 6000 entries, and when using a subtractive method from our domain list, we have been able to use this data to find our "grey area" of machines that are not being used, and the users that do not have one of "our" login scripts.



______________________

-HTH

-Steven Yarnot
http://yarnosg.home.insightbb.com




0
 
LVL 7

Expert Comment

by:YarnoSG
ID: 8120823
Oh, forgot to add:  We still have users that do that, but at least now we can tell them where they have been.  Periodically, we delete files in the directory that have a last modified date greater than X, that way we know our window of information is only X old.  Additionally, you could change it to instead of echoing the username, you could copy a null size file.  but these less than 1K files work just fine for us.

-Steven Yarnot
0
 

Expert Comment

by:john_demerjian
ID: 8120957
Steve I like your solution a lot.  I'll probably borrow that code.  But neither your nor mine fully addresses the issue of a user being logged on to two systems and then changing a password.  I wonder if we can figure out one that does?  The shortcomming in mine is that in order for it to be used as proactively to prevent the lockout problem, the USER would need to run it.  That ain't gonna happen.  It can be used to find two users logged on at the same time, but most likely that would be after there was already a problem.

The problem with your idea is that it can't tell when a user is logged off the system.  So you know where a user has been, but you don't know which boxes they are currently logged on to.

So let's focus (if you would) on how to determine when a user has logged off a computer.  If you can figure that out, we may have this age-old NT problem beaten.  

0
 

Expert Comment

by:john_demerjian
ID: 8120996
one approach i've thought of could be to run a script on the server that stores the text files (from steve's example) that constantly checks for next text files being added with if <jdemerji_hostname.txt> exists then look for another text file with jdemerji and if found "net send HEY YOUR LOGGED ON TO ANOTHER COMPUTER hostname"

now it's just a matter of writing that....
0
 
LVL 7

Expert Comment

by:YarnoSG
ID: 8121209
You could have the login script run the check and echo back the machines they are logged int at;  Then have another automated system purge the data on a regular basis.  We use a tool that looks to the HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon key to determine the last logged in user, then uses PSList from Sysinternals (http://www.sysinternals.com) to determine if Explorer.exe is running (last logged in person + a running explorer = you know who is on a machine).  This could be bent to determine if they STILL are logged into those other machines, but it seems like a lot of work that could be avoided by just TRAINING the users to be only logged into one machine when they change thier password.


-HTH
-Steven Yarnot
http://yarnosg.home.insightbb.com
0
 

Author Comment

by:MCSEDanny
ID: 8127206
John Demerjian,  Thanks for helping out and understanding the goal I am trying to reach and am sure I'm not the only person in the world needing this.

I need to be able to when a user walks up to the help desk just after changing his password then being locked out of outlook and share drives I can perform a scan and identify this user is logged into boxA and boxB go log off these and then we can unlock your user account.
0
 
LVL 7

Expert Comment

by:YarnoSG
ID: 8127399
That is one of the functions we use the script above for.  We have an additional part that looks the person up in WINS to determine where they are logged in right now, because we get a large number of people who do not know their own node name calling our help desk.  If there is interest, I can post the whole script here.

-HTH
-Steven Yarnot
hhp://yarnosg.home.insightbb.com
0
 

Expert Comment

by:Sengoku
ID: 8136341
There is a program called Look@Lan which scans your network and returns the PCName and who is logged in, it take a while to run, but all it needs is the IPRange.
You can get it at www.lookatlan.com
0
 

Expert Comment

by:john_demerjian
ID: 8137017
I think this spells BINGO!  I'm cautiously optimistic.  This utility is in the W2K resource kit.  



Cconnect.exe: Con-Current Connection Limiter

--------------------------------------------------------------------------------

This tool provides a method of tracking concurrent connections of users and monitoring what computers users are logged on to a network. It consists of two components, a client and an administrator.

Con-Current Connection Limiter:

is completely hidden from the end user's view.
keeps track of all computers that users are logged onto.
tracks last known user of the computer.
monitors what logon server users are logging into.
allows concurrent connection limitations to be set on a per-user or per-group basis.
stores all information in a Microsoft® SQL Server™ database assigned by the Administrator.
Requirements
These tools require:

Microsoft® Windows® 2000
- Or -

Microsoft® Windows NT® version 4.0 with:
Service Pack 4 or higher
Windows Script Host
Windows Management Instrumentation (WMI)
MDAC version 2 or higher
Information on all of these can be found at the Microsoft Web site.

SQL Server 6.5 or higher
Before running the VBS files, CConnect Client must be run successfully at least once to properly set up the database. Otherwise the VBS scripts will fail.

Files Required

Con-Current Connection Limiter is not installed by the Windows 2000 Resource Kit setup program. The files required for this tool are located on the Apps\Cconnect\ folder of the Resource Kit companion CD.

Before using CConnect Client or CConnect Administrator, you must first install them using the installation programs (Setup.exe) located in the Apps\Cconnect\Client and Apps\Cconnect\Admin folders.

0
 

Author Comment

by:MCSEDanny
ID: 8210385
I actually found the utility I was looking for called psloggedon.exe at www.sysinternals.com
0
 
LVL 5

Expert Comment

by:cempasha
ID: 8598182
This question is still open and getting old. If any of the comment(s) above helped you please accept it as an answer or split the points who ever helped you in this question. Your attention in finalising this question is very much appreciated. Thanks in advance,

****** PLEASE DO NOT ACCEPT THIS AS AN ANSWER ********

- If you would like to close this question and have your points refunded, please post a question in community support area on http://www.experts-exchange.com/Community_Support/ giving the address of this question. Thank you      

Pasha

Cleanup Volunteer


0
 

Accepted Solution

by:
PashaMod earned 0 total points
ID: 9589460
PAQ'ed and points refunded

PashaMod
CS Moderator
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Hey fellow admins! This time, I have a little fairy tale for you. As many tales do, it starts boring and then gets pretty gory. I hope you like it. TL;DR: It is about an important security matter, you should read it if you run or administer Windows …
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question