Solved

Last Logon date to XP or NT

Posted on 2006-06-28
19
852 Views
Last Modified: 2012-08-13
I have been tasked with creating a report that shows which machines have not been used in the last month. I suspect the only way to do that is to find some way of showing when a machine was last logged on to.

I am using landesk to collect the information. I can look at when a file was last executed or find a registry key.

I have tried using userinit.exe but the results were not reliable. Does anyone know of a way to show this?

Cheers.

Peter
0
Comment
Question by:PLSM
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +5
19 Comments
 
LVL 22

Accepted Solution

by:
pjedmond earned 125 total points
ID: 16999898
The 'Event Viewer' security log should show when a user logged on/off, and the application log will show which user executed an application and when. You'll need to read the files rather than just look at the timestamp I'm afraid.

If the logon is authenticated as part of an domain, then the server logs may be of use?

(   (()
(`-' _\
 ''  ''
0
 

Author Comment

by:PLSM
ID: 17001062
Ah... Unfortunately we do not have Auditing enabled on any of our client computers, and this has got to work retrospectively.

I will have a look at AD, but I seem to remember that AD can only give you last login for the users, not when a computer was last logged in to. However, I could well be wrong!

Thanks.
0
 

Assisted Solution

by:cyberhic
cyberhic earned 125 total points
ID: 17002263
Excellent.....This should not be to bad.  The first thing that comes to mind is to just take a look at the "C:\documents and settings" folder using the "Details" view.  Check the modified dates and this will show you the last time the computer was logged into, and by whom.

If your workstation base is larger like mine.  Just write a script to do it.  You could get export a list or workstations out of AD or even Server Manager (NT) and then just loop your script to collect file modify dates from each machine.  Easy pleasy.

If your not a scripter, check out:
http://www.microsoft.com/technet/scriptcenter/default.mspx

Its a great resource...
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 33

Expert Comment

by:MikeKane
ID: 17002291
In an XP machine, look in the "Documents and settings folder". You can check the date stamp on the hidden file NTUSER.DAT.   The date should give you a good idea when the mahcine was last used by that person.  

You'll need to look in every profile directory for each instance of NTUSER.DAT, and return the most recent date on the ntuser file from any of the profile directories.  

0
 
LVL 26

Expert Comment

by:Pber
ID: 17002586
Try this script:

MAXIMUM_PASSWORD_AGE = 30

dtmDate = DateAdd("d", -MAXIMUM_PASSWORD_AGE, Now())
dbl100NanoSecs = 10000000 * (DateDiff("s", "1/1/1601", dtmDate))
dbl100NanoSecs = FormatNumber(dbl100NanoSecs, 0, False, False ,0)

set oRootDSE = GetObject("LDAP://RootDSE")
strDomainNC = oRootDSE.Get("defaultNamingContext")
set oRootDSE = Nothing


Set oConnection   = CreateObject("ADODB.Connection")
oConnection.Provider   = "ADsDSOObject"
oConnection.Open "Active Directory Provider"

Set oCommand = CreateObject("ADODB.Command")
Set oCommand.ActiveConnection = oConnection

strQuery = "<LDAP://" & strDomainNC & ">;(&(objectCategory=Computer)(lastLogonTimestamp<=" & dbl100NanoSecs & "));ADSPath;subtree"  
WScript.Echo strQuery
oCommand.CommandText = strQuery  
oCommand.Properties("Page Size") = 1000
Set oRecordSet = oCommand.Execute

if not oRecordSet.Eof Then

      WScript.Echo "Total: " & oRecordSet.RecordCount
      While Not oRecordSet.Eof
            Set ObjComp = GetObject(oRecordSet.Fields("AdsPath").Value)
            set objLogon = ObjComp.Get("lastLogonTimestamp")
            intLogonTime = objLogon.HighPart * (2^32) + objLogon.LowPart
            intLogonTime = intLogonTime / (60 * 10000000)
            intLogonTime = intLogonTime / 1440
            intLogonTime = intLogonTime + #1/1/1601#
            
            WScript.Echo Replace(Objcomp.name,"CN=","") & ", " & intLogonTime
      '      End if
            oRecordSet.MoveNext
      Wend
      
end If
WScript.Echo("done...")
0
 
LVL 26

Expert Comment

by:Pber
ID: 17002639
Hmmmm, now that I read your post, this will probably not do the trick.  This will show the last time the computer was last on the domain, but for it to work in your case, the machine would have had to been powered off or disconnected from the network.
0
 
LVL 6

Assisted Solution

by:engineer_dell
engineer_dell earned 125 total points
ID: 17006981
Probably what you want is a software like this, LANsurveyor > http://www.neon.com/lsa3.shtml
                            OR
http://www.rlmueller.net/Last%20Logon.htm
This program can be modified to retrieve the lastLogon date for all
computers instead of all users by changing this statement:

strFilter = "(& (objectCategory=person)(objectClass=user
))"
to this:
strFilter = "(objectCategory=computer)"

I hope this helps.

Engineer_Dell
0
 

Author Comment

by:PLSM
ID: 17011159
Thanks for all the comments. I will try it all and come back to the group.
0
 
LVL 14

Assisted Solution

by:FriarTuk
FriarTuk earned 125 total points
ID: 17027348
http://www.microsoft.com/technet/scriptcenter/default.mspx

http://support.microsoft.com/default.aspx?scid=kb;en-us;300549
Administrative Tools
- Domain Security Polices > Local Polices > Audit Policies
- Define Audit Account Logon Events
- Define Audit Logon Events
event viewer, rclk System Log > Properties > Filter (by computer, user, etc)

also see this from robwill
http://www.experts-exchange.com/Networking/Microsoft_Network/Q_21902477.html#17004392
0
 
LVL 14

Expert Comment

by:FriarTuk
ID: 17169775
plsm, plx respond to the advice in my last comment on 7/2
0
 

Author Comment

by:PLSM
ID: 17170779
The resolution has been found. Thanks for all your comments. Unfortunately LANDesk has to be used for this task for political reasons.

In case your are interested, in brief, we have solved this by writing a login/logoff date, time, and user name to the client machines, using some VBS in a login script. Using the login script we do some time calculation to find the difference between login and logout. That value is then written to another key, named by month. Every time someone logs on and off the time value found is added to the value already in the month key. When a new month starts a new month key is created. That key can then be found by LANDesk and reports can be made.

Thanks again for you comments.
0
 
LVL 14

Expert Comment

by:FriarTuk
ID: 17173770
so you didn't find the script from Robwill from the below link (orginally listed in above thread) helpful to build your script?
http://www.experts-exchange.com/Networking/Microsoft_Network/Q_21902477.html#17004392
0
 
LVL 88

Expert Comment

by:rindi
ID: 17261760
PLSM, can you please follow my advice above? It helps a lot if you close your own question, thanks.

rindi,
EE Cleanup Volunteer
0
 
LVL 88

Expert Comment

by:rindi
ID: 17315656
PLSM, are you still there? Have you read my last post?
0
 
LVL 14

Expert Comment

by:FriarTuk
ID: 17340586
i think my comment from 7/2 should be accepted since he stated on 7/24 he made a login/logoff script which my link pointing to Robwill's advice more than likely helped them make theirs or at least mentions doing so which led to the answer.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Administrator Tools 2 76
aix tls version 6 645
cat /etc/debian_version returns stretch/sid instead of version 12 356
Restoring files with VSS not possible Path too long 2 123
Just about everyone has an old PC laying around.  Ask anyone in the IT industry, whether they are a professional or play in it as a hobby.  From outdated Desktops to cheap "throwaway" laptops, they are all around and not as hard to "fix up" as you m…
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question