Solved

How to determine last logon time for Local User accounts on a Windows 2000 Server (NOT DOMAIN)

Posted on 2007-03-20
15
7,454 Views
Last Modified: 2013-12-05
Hello Experts,

I am hoping someone can assist me with this challenge I am facing.  I have a Windows 2000 Server which is just a member server part of a DOMAIN.  It has about 200 LOCAL computer users which are used to only authenticate into a special group of users to use an application running on this server.  I need to find a way to run a utility or a script which can tell me the LAST LOGON TIME for the LOCAL users only.  This is to allow us to perform audit administration.  Please note, this is not a script or a tool for AD or the DOMAIN, it is only for the local computer/server accounts.  

I would appreciate anyone's assistance on this matter.  Thank You
0
Comment
Question by:seiger
  • 6
  • 6
  • 2
  • +1
15 Comments
 
LVL 67

Expert Comment

by:sirbounty
ID: 18761127
Something like this should loop through all users, scanning the event logs for their logon audit...


Dim objWMI
Dim objNet: Set objNet = CreateObject("Wscript.Network")
Dim colUsers: Set colUsers = GetObject("WinNT://" & objNet.ComputerName)
colUsers.Filter = Array("user")
intLogonID = 540 'Event ID for successful logon

For Each objUser In colUsers
  Set objWMI = GetObject("winmgmts:{impersonationLevel=impersonate,(Security)}!\\.\root\cimv2")
  strQry = "Select * from Win32_NTLogEvent Where EventCode='" & intLogonID & "' And User='" & objUser.Name & "'"
  Set colEvents = objWMI.ExecQuery(strQry)
  For Each objItem In colEvents
    wscript.echo objItem.SourceName, objItem.EventCode, objItem.Type, objItem.User
    wscript.echo objItem.Message
  Next
Next
0
 

Author Comment

by:seiger
ID: 18761192
Sirbounty, thanks for your quick response.  I have a couple of questions;

1) How do I run this script on the Windows 2000 Server?

2)  If I run this script, is there a way to specify it to show me the last logon time before 90 and prior?

3)  Does anything like logon event auditing have to be turned ON or can I run this script now and get history information?

Thanks for your assistance.
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 18761225
1) Save it as FindLogons.vbs and double-click it to run ( you didn't specify needed output, so this just displays it on screen)

2) Um, could probably adjust it to something like that, I think...  Consider this post my 'feeler' to establish what you were after exactly.  I thought it'd be close, but was prepared to tweak it as well... ;)

3) If I'm not mistaken, I think that may be enabled by default.  Click Start->Run->Eventvwr <Enter> - check the security logs - you can sort by event id...see if there are any 540s in there...
0
 

Author Comment

by:seiger
ID: 18761303
Sirbounty,

When I run the FindLogons.vbs on my XP Pro SP2 machine, I get an error with the script, "Line: 1" and "Char 1" Error: Invalid Character, Source: Compilation Error.  
 i'm not sure why.  
If possible, I would like to find a way to be able to specify a # for the last time users logged in.  E.g. How many users have not logged into the server in the last 100 days?
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 18761314
You can remove that - though I'm not sure either..
Dim objWMI should be 'valid'... : \
0
 

Author Comment

by:seiger
ID: 18761387
I tried running the script with the first line and without but after i run it, it just sits there and doesn't really go anywhere.  Any suggestions?
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 18761406
Checking it out now - looks like I was mistaken.  Apparently it's a 528 for 'local' logon...

0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 67

Expert Comment

by:sirbounty
ID: 18761463
Try this version...the intDays is your days since logon.


Dim objNet: Set objNet = CreateObject("Wscript.Network")

Set colUsers = GetObject("WinNT://" & objNet.ComputerName)
colUsers.Filter = Array("user")
intDays=90
intLogonID = 528 'Event ID for successful logon

For Each objUser In colUsers
  Set objWMI = GetObject("winmgmts:{impersonationLevel=impersonate,(Security)}!\\.\root\cimv2")
  strQry = "Select * from Win32_NTLogEvent Where EventCode=" & intLogonID
  Set colEvents = objWMI.ExecQuery(strQry)
  For Each objItem In colEvents
    If Instr(objItem.User, objUser.Name) > 0 Then
      strDate=Mid(objItem.TimeWritten,5,2) & "/" & Mid(objItem.TimeWritten,7,2) & "/" & left(objItem.TimeWritten,4)
      If dateDiff("d",strDate,Date) > intDays Then
        wscript.echo "It's been more than " & intDays & " since " & objUser.Name & " logged onto this machine."
  Next
Next
0
 

Author Comment

by:seiger
ID: 18761479
Hi SirBounty,

I get the following error;

Line: 17
Char: 3
Error: Unexpected 'Next'
Code: 800A041F
Source: Microsoft VBScript compilation error
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 18762931
As sirbounty appears to be in bed or something .. From my basic VBS knowledge I imagine te two IF commands on the end have gone into your vbs text file as too lines.  Make sure the wscript.echo bit is on the end of the previous line (with a space after the THEN) and the same for the strDate bit.

If not I'm sure sirbounty will be along anyway, was just passing...

Steve
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 18763091
Thanx Steve...I really dislike the wrapping on the new site.

Let's try it by closing off the two if lines...

Dim objNet: Set objNet = CreateObject("Wscript.Network")

Set colUsers = GetObject("WinNT://" & objNet.ComputerName)
colUsers.Filter = Array("user")
intDays=90
intLogonID = 528 'Event ID for successful logon

For Each objUser In colUsers
  Set objWMI = GetObject("winmgmts:{impersonationLevel=impersonate,(Security)}!\\.\root\cimv2")
  strQry = "Select * from Win32_NTLogEvent Where EventCode=" & intLogonID
  Set colEvents = objWMI.ExecQuery(strQry)
  For Each objItem In colEvents
    If Instr(objItem.User, objUser.Name) > 0 Then
      strDate=Mid(objItem.TimeWritten,5,2) & "/" & Mid(objItem.TimeWritten,7,2) & "/" & left(objItem.TimeWritten,4)
      If dateDiff("d",strDate,Date) > intDays Then
        wscript.echo "It's been more than " & intDays & " since " & objUser.Name & " logged onto this machine."
      End If
    End If
  Next
Next
0
 

Author Comment

by:seiger
ID: 18765835
When I run this script, nothing really happens.  I've tried it from command prompt "wscript findlogons.vbs" and i've also just tried double-clicking it but nothing happens.  I am doing this on a Win XP Pro machine.  Do I have to do it on the Windows 2000 server?
0
 
LVL 15

Accepted Solution

by:
Colosseo earned 500 total points
ID: 18778940
Hi, try this: again save it as a vbs file and run it. a file called c:\output.txt should be created.

If the value is NOT FOUND then the user either never logged on, or the lastlogin for him her has been removed. Otherwise it is the date he/she last logged in.

Scott


' Run the code
get_Last_Logons()

' Return all users who have never logged in or last logged in more that 90 days ago
Sub get_Last_Logons()
on error resume next

      Dim oOutput      ' The file to write the output to
      Dim colUsers      ' Collection of local users on the server
      Dim strLastLogin ' String to hold the last login date if found

      ' Create the output file
      Set oOutput = CreateObject("Scripting.FileSystemObject").OpenTextFile("c:\output.txt",2,True)

      ' Get the servers local users
      Set colUsers = GetObject("WinNT://" & CreateObject("Wscript.Network").ComputerName)
      colUsers.Filter = Array("user")

      ' For each user in the collection
      For Each oUser In colUsers
            ' Get the last login property
            strLastLogin = oUser.LastLogin

            ' If an error occured then output that the last login was not found
            If err.number <> 0 Then
                  err.Clear
                  oOutput.WriteLine oUser.Name & ";NOT FOUND"
            
            ' Else output the user id and the last login time for users who last logged in more than 90 days ago
            ElseIf dateDiff("d",strLastLogin,Date) > 90 Then
                    oOutput.WriteLine oUser.Name & ";" & strLastLogin
            End If
      Next
      
      ' Tidy up
      oOutput.Close
      Set oOutput = Nothing

End Sub
0
 

Author Comment

by:seiger
ID: 18783175
Colosseo,

Thanks for your response, this script almost works perfect.  Can you please clarify what "NOT FOUND" actually means?  Also, what would it show if the user has never logged in?  Thanks!
0
 
LVL 15

Expert Comment

by:Colosseo
ID: 18784874
NOT FOUND (which can be changed to any message you like) means that there was no LastLogin property for this user object.

Effectively if a user returns NOT FOUND it means the user has never logged in

Scott
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Remote Apps is a feature in server 2008 which allows users to run applications off Remote Desktop Servers without having to log into them to run the applications.  The user can either have a desktop shortcut installed or go through the web portal to…
Use this article to create a batch file to backup a Microsoft SQL Server database to a Windows folder.  The folder can be on the local hard drive or on a network share.  This batch file will query the SQL server to get the current date & time and wi…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now