Solved

How do I tell who's currently logged on to a remote computer that is running Windows 2000 Pro or Windows XP Pro?

Posted on 2004-10-06
27
723 Views
Last Modified: 2008-09-18
I'm attempting to do this from a Windows 2003 Small Business Server remotely for a client of ours. I've looked at DHCP and NBTSTAT for hints but no luck. I am simply trying to find the name of the user account that is currently logged onto a computer named WOLF on the network. Any ideas? Thanks.
0
Comment
Question by:WineGeek
  • 8
  • 5
  • 3
  • +9
27 Comments
 
LVL 9

Assisted Solution

by:MSGeek
MSGeek earned 33 total points
ID: 12243115
You need to use event logging to determine this.  By default 2003 logs account logion events.  This may help:  http://www.winnetmag.com/Windows/Article/ArticleID/40046/40046.html
0
 

Author Comment

by:WineGeek
ID: 12243290
I'm thinking that this doesn't apply to my situation. Here's why: This computer named WOLF is not a domain member, which is the problem I'm trying to resolve. I'm seeing errors in the event log of the 2003 server that the computer \\WOLF is trying to connect to the server, but it ain't happening thanks to changed/failed trust relationsips when some heavy domain changes were done before I even started working here. I'm trying to join this WOLF computer to the domain and need to know who's logged on to it so I know who to ask for when I call the client's office. Thanks again for any help.
0
 
LVL 11

Assisted Solution

by:gothicbloody
gothicbloody earned 33 total points
ID: 12243311
0
 
LVL 3

Assisted Solution

by:hehewithbrackets
hehewithbrackets earned 165 total points
ID: 12243343
Does this mean that you have no access to the WOLF computer at all?  Do you have administrative access to open up it's computer management console remotely or access it's hard drive?  If not, you can always try to do a NET SEND 'message' which might go through and ask him to call you.
0
 
LVL 3

Assisted Solution

by:zamoti
zamoti earned 33 total points
ID: 12243411
Open a command prompt and try this:

tasklist /v /s \\wolf

It should list what programs are running and who is running them.  

Good luck!
0
 

Author Comment

by:WineGeek
ID: 12243490
This command is prompting me as follows:
Type the password for <DomainName>\Administrator:

When I enter the password, it replie as follows:
ERROR: Logon failure: unknown user or bad password.

Am I doing something wrong? I obviously know the correct password or I wouldn't have been able to log onto the server. Thanks.
0
 

Author Comment

by:WineGeek
ID: 12243506
I tried the NET SEND command earlier and couldnt get it to work. Probably bad syntax on my part, but I checked with HELP and I'm not sure why it didn't work???
0
 
LVL 3

Assisted Solution

by:hehewithbrackets
hehewithbrackets earned 165 total points
ID: 12243783
This goes back to my original question of whether you have administrative access to the machine.  What password are you entering into the system?  Since the computer is not a domain member, you would need to use the credentials of the local administrator account or the administrator from the previous domain if it is still a member of the old domain.

When you tried the NET SEND command, did you receive any kind of error message?  It also will not work if the messenger service is shutdown on the target machine.
0
 

Author Comment

by:WineGeek
ID: 12243810
That's what I was afraid of. I don't know the local admin password, or any other password for a local account on that machine. Thanks for your help anyway everyone.
0
 
LVL 3

Assisted Solution

by:hehewithbrackets
hehewithbrackets earned 165 total points
ID: 12243824
Are you able to get access to the remote computer's hard drive by going to \\WOLF\C$
If so, navigate to the profiles folder and see what user folders exist.  It's a long shot, but worth a look.
0
 

Author Comment

by:WineGeek
ID: 12243842
Ok, I'll try that tomorrow. Also, how does this "points" thing work on this web site? Do I click the [Accept] button only for those who provide the answer that worked? Is that roughly how it goes here? I just joined today. Thanks.
0
 
LVL 3

Assisted Solution

by:hehewithbrackets
hehewithbrackets earned 165 total points
ID: 12243845
Is the computer physically located near your location?  Can you track it down by IP address back to the switchport it is plugged into?
0
 
LVL 3

Assisted Solution

by:hehewithbrackets
hehewithbrackets earned 165 total points
ID: 12243850
Yes, you can split the points as you wish.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:WineGeek
ID: 12244082
Thanks. No, the computer is in another building miles away from me.
0
 
LVL 10

Assisted Solution

by:dis1931
dis1931 earned 33 total points
ID: 12246049
try "nbtstat -a" followed by the computer name so if the PC is wolf then type

nbtstat -a wolf

or if you have an IP address type

nbtstat -A XXX.XXX.XXX.XXX

This should provide you with a logged in user name....
0
 

Assisted Solution

by:C0mab0y
C0mab0y earned 33 total points
ID: 12247420
From the PDC open a commandprompt and type:

Net sessions \\wolf

This returns current username, computername, client type, session time, time inactive.

Net sessions

This returns a list of all current sessions with the PDC.

0
 
LVL 5

Assisted Solution

by:zerofield
zerofield earned 33 total points
ID: 12249254
psloggedon is the tool i use for doing this.  it will let you check the status of users logged into a single machine, or scan the entire domain.  it's free from sysinternals.
0
 

Assisted Solution

by:EricdJ
EricdJ earned 33 total points
ID: 12249259
User Management Console (MMC) with Computer management snap-in and connect to remote computer (if necessary add your account to to adminsitrators group at the wolf computer)

In the "System Tools | Shared Folder | Sessions " container you will see the user(s) connected/logged in
0
 
LVL 4

Assisted Solution

by:internetsavant
internetsavant earned 33 total points
ID: 12253836
from any computer type at the command prompt:

c:\>nbtstat -a %computer_name%

this will tell you who the current logged on user is.


you can go into Local Security Policy mmc and start logging security events like logon/logoff events and then, connect to that computer's Event Viewer through Computer Management (if you have admin rights to the machine) and view what user account logged on at what time and you can deduce the length of time once you see a corresponding logoff event.

=D
0
 
LVL 2

Assisted Solution

by:Snodlander
Snodlander earned 33 total points
ID: 12256428
NBTSTAT -a \\wolf
This should return a bunch of info, including the logon name of the user CURRENTLY using the machine.

You can try sending an instant console message by opening up Computer Management, right click on "shared folders" select "all tasks" "send console message". Add wolf in by its IP address and send a message to the user.

From an XP machine you can try to 'Offer Remote Assistance' to Wolf. This will at least let you know if it is an XP machine.

You could also try shutting it down remotely and seeing who complains. From a run command type.. shutdown -i
This will bring up the GUI interface for the shutdown application - easier than using the DOS based command with switches.
You can type a short message telling the user of Wolf to contact you on your number, which they will, or face more shutdowns. This may not work, however, since you do not know the admin password for Wolf.

Can you not work out where it is generally from its IP address?
0
 
LVL 2

Accepted Solution

by:
stardust126 earned 38 total points
ID: 12256835
What you want is see who is CURRENTLY logged on.
The best solution availble is psloggedon (http://www.sysinternals.com/files/PsLoggedOn.zip) from the PsTools pack (http://www.sysinternals.com/files/Pstools.zip).
It lets you see who's logged on to the computer from local logon and network logon (someone accessing a share on that computer) and also let's you search for all your network for a specified user and what computer he's logged on to.

0
 

Author Comment

by:WineGeek
ID: 12259425
You all have given me some very good suggestions. But no success so far.

When I ran pslogged on, it failed saying to make sure the registry service was running on \\wolf. I could ping \wolf but pslogged on didn't work. [Nbtstat -a] also fails to provide any helpful information.

I believe the facts that \\wolf is not a domain member combined with the fact that I cannot physically get to the machine (without driving to the client's office) is going to be a deal breaker on this. Although I like the idea of shutting down \\wolf remotely and seeing who complains. Perhaps I'll get that desperate soon. Thanks everyone. I'd like to hand out some points. I've got to figure out how to do that to multiple people. Thanks again everyone.
0
 
LVL 2

Expert Comment

by:stardust126
ID: 12266642
Please check if the 'Remote Registry Service' is running on the remote computer.
I believe that service is disabled by default.
0
 
LVL 2

Expert Comment

by:Snodlander
ID: 12273246
Can you post the results of your nbtstat here?
0
 

Author Comment

by:WineGeek
ID: 12499649
results of running nbtstat -a \\wolf are as follows:

**********************
Host not found.
**********************

I can ping wolf, and nbtstat is reporting that wolf is at 10.10.10.5. So I'm still stumped....
0
 
LVL 4

Expert Comment

by:internetsavant
ID: 12499910
is that IP apart of your network?  Can you check AD to see if you have a "Wolf" computer located anywhere in your domain?  If not, you have a computer that's attached to your network via DHCP but does not have a computer account.  This is a common hacking method because all they need is a valid user account and they can access any network resource.  

If the 10.10.10.5 computer is in your subnetting scheme, don't you have the subnets broken down by physical location??  The subnet itself should give you an idea of the geographic location...

What is the scope of the network we're talking about here??
0
 
LVL 4

Expert Comment

by:internetsavant
ID: 12499933
ALSO:

if you run nbtstat -a against the computer name and don't return any results, it may be because of the case i stated above where the computer doesn't have a valid computer account on your domain...

to get around this (since you can ping the machine) do this:

nbtstat -A 10.10.10.5  

*note the capital "A" instead of the lowercase one designating you're looking for the IP address.

If you don't get a response out of this, it's probably because "WOLF" has NetBIOS turned off...
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Hello I read in a discussion about a person who configured a very simple mirror RAID with two hard drives; the system and data were on the same partition. He asked how to repair the system as it was not booting up anymore. In his case running …
As the title indicates, I have done this before. It chills me everytime I update the OS on my phone, (http://www.experts-exchange.com/articles/18084/Upgrading-to-Android-5-0-Lollipop.html) because one time I did this and I essentially had a bricked …
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now