How to determine last logon time for Local User accounts on a Windows 2000 Server (NOT DOMAIN)

Hello Experts,

I am hoping someone can assist me with this challenge I am facing.  I have a Windows 2000 Server which is just a member server part of a DOMAIN.  It has about 200 LOCAL computer users which are used to only authenticate into a special group of users to use an application running on this server.  I need to find a way to run a utility or a script which can tell me the LAST LOGON TIME for the LOCAL users only.  This is to allow us to perform audit administration.  Please note, this is not a script or a tool for AD or the DOMAIN, it is only for the local computer/server accounts.  

I would appreciate anyone's assistance on this matter.  Thank You
seigerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

sirbountyCommented:
Something like this should loop through all users, scanning the event logs for their logon audit...


Dim objWMI
Dim objNet: Set objNet = CreateObject("Wscript.Network")
Dim colUsers: Set colUsers = GetObject("WinNT://" & objNet.ComputerName)
colUsers.Filter = Array("user")
intLogonID = 540 'Event ID for successful logon

For Each objUser In colUsers
  Set objWMI = GetObject("winmgmts:{impersonationLevel=impersonate,(Security)}!\\.\root\cimv2")
  strQry = "Select * from Win32_NTLogEvent Where EventCode='" & intLogonID & "' And User='" & objUser.Name & "'"
  Set colEvents = objWMI.ExecQuery(strQry)
  For Each objItem In colEvents
    wscript.echo objItem.SourceName, objItem.EventCode, objItem.Type, objItem.User
    wscript.echo objItem.Message
  Next
Next
0
seigerAuthor Commented:
Sirbounty, thanks for your quick response.  I have a couple of questions;

1) How do I run this script on the Windows 2000 Server?

2)  If I run this script, is there a way to specify it to show me the last logon time before 90 and prior?

3)  Does anything like logon event auditing have to be turned ON or can I run this script now and get history information?

Thanks for your assistance.
0
sirbountyCommented:
1) Save it as FindLogons.vbs and double-click it to run ( you didn't specify needed output, so this just displays it on screen)

2) Um, could probably adjust it to something like that, I think...  Consider this post my 'feeler' to establish what you were after exactly.  I thought it'd be close, but was prepared to tweak it as well... ;)

3) If I'm not mistaken, I think that may be enabled by default.  Click Start->Run->Eventvwr <Enter> - check the security logs - you can sort by event id...see if there are any 540s in there...
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

seigerAuthor Commented:
Sirbounty,

When I run the FindLogons.vbs on my XP Pro SP2 machine, I get an error with the script, "Line: 1" and "Char 1" Error: Invalid Character, Source: Compilation Error.  
 i'm not sure why.  
If possible, I would like to find a way to be able to specify a # for the last time users logged in.  E.g. How many users have not logged into the server in the last 100 days?
0
sirbountyCommented:
You can remove that - though I'm not sure either..
Dim objWMI should be 'valid'... : \
0
seigerAuthor Commented:
I tried running the script with the first line and without but after i run it, it just sits there and doesn't really go anywhere.  Any suggestions?
0
sirbountyCommented:
Checking it out now - looks like I was mistaken.  Apparently it's a 528 for 'local' logon...

0
sirbountyCommented:
Try this version...the intDays is your days since logon.


Dim objNet: Set objNet = CreateObject("Wscript.Network")

Set colUsers = GetObject("WinNT://" & objNet.ComputerName)
colUsers.Filter = Array("user")
intDays=90
intLogonID = 528 'Event ID for successful logon

For Each objUser In colUsers
  Set objWMI = GetObject("winmgmts:{impersonationLevel=impersonate,(Security)}!\\.\root\cimv2")
  strQry = "Select * from Win32_NTLogEvent Where EventCode=" & intLogonID
  Set colEvents = objWMI.ExecQuery(strQry)
  For Each objItem In colEvents
    If Instr(objItem.User, objUser.Name) > 0 Then
      strDate=Mid(objItem.TimeWritten,5,2) & "/" & Mid(objItem.TimeWritten,7,2) & "/" & left(objItem.TimeWritten,4)
      If dateDiff("d",strDate,Date) > intDays Then
        wscript.echo "It's been more than " & intDays & " since " & objUser.Name & " logged onto this machine."
  Next
Next
0
seigerAuthor Commented:
Hi SirBounty,

I get the following error;

Line: 17
Char: 3
Error: Unexpected 'Next'
Code: 800A041F
Source: Microsoft VBScript compilation error
0
Steve KnightIT ConsultancyCommented:
As sirbounty appears to be in bed or something .. From my basic VBS knowledge I imagine te two IF commands on the end have gone into your vbs text file as too lines.  Make sure the wscript.echo bit is on the end of the previous line (with a space after the THEN) and the same for the strDate bit.

If not I'm sure sirbounty will be along anyway, was just passing...

Steve
0
sirbountyCommented:
Thanx Steve...I really dislike the wrapping on the new site.

Let's try it by closing off the two if lines...

Dim objNet: Set objNet = CreateObject("Wscript.Network")

Set colUsers = GetObject("WinNT://" & objNet.ComputerName)
colUsers.Filter = Array("user")
intDays=90
intLogonID = 528 'Event ID for successful logon

For Each objUser In colUsers
  Set objWMI = GetObject("winmgmts:{impersonationLevel=impersonate,(Security)}!\\.\root\cimv2")
  strQry = "Select * from Win32_NTLogEvent Where EventCode=" & intLogonID
  Set colEvents = objWMI.ExecQuery(strQry)
  For Each objItem In colEvents
    If Instr(objItem.User, objUser.Name) > 0 Then
      strDate=Mid(objItem.TimeWritten,5,2) & "/" & Mid(objItem.TimeWritten,7,2) & "/" & left(objItem.TimeWritten,4)
      If dateDiff("d",strDate,Date) > intDays Then
        wscript.echo "It's been more than " & intDays & " since " & objUser.Name & " logged onto this machine."
      End If
    End If
  Next
Next
0
seigerAuthor Commented:
When I run this script, nothing really happens.  I've tried it from command prompt "wscript findlogons.vbs" and i've also just tried double-clicking it but nothing happens.  I am doing this on a Win XP Pro machine.  Do I have to do it on the Windows 2000 server?
0
ColosseoCommented:
Hi, try this: again save it as a vbs file and run it. a file called c:\output.txt should be created.

If the value is NOT FOUND then the user either never logged on, or the lastlogin for him her has been removed. Otherwise it is the date he/she last logged in.

Scott


' Run the code
get_Last_Logons()

' Return all users who have never logged in or last logged in more that 90 days ago
Sub get_Last_Logons()
on error resume next

      Dim oOutput      ' The file to write the output to
      Dim colUsers      ' Collection of local users on the server
      Dim strLastLogin ' String to hold the last login date if found

      ' Create the output file
      Set oOutput = CreateObject("Scripting.FileSystemObject").OpenTextFile("c:\output.txt",2,True)

      ' Get the servers local users
      Set colUsers = GetObject("WinNT://" & CreateObject("Wscript.Network").ComputerName)
      colUsers.Filter = Array("user")

      ' For each user in the collection
      For Each oUser In colUsers
            ' Get the last login property
            strLastLogin = oUser.LastLogin

            ' If an error occured then output that the last login was not found
            If err.number <> 0 Then
                  err.Clear
                  oOutput.WriteLine oUser.Name & ";NOT FOUND"
            
            ' Else output the user id and the last login time for users who last logged in more than 90 days ago
            ElseIf dateDiff("d",strLastLogin,Date) > 90 Then
                    oOutput.WriteLine oUser.Name & ";" & strLastLogin
            End If
      Next
      
      ' Tidy up
      oOutput.Close
      Set oOutput = Nothing

End Sub
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
seigerAuthor Commented:
Colosseo,

Thanks for your response, this script almost works perfect.  Can you please clarify what "NOT FOUND" actually means?  Also, what would it show if the user has never logged in?  Thanks!
0
ColosseoCommented:
NOT FOUND (which can be changed to any message you like) means that there was no LastLogin property for this user object.

Effectively if a user returns NOT FOUND it means the user has never logged in

Scott
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.