seiger
asked on
How to determine last logon time for Local User accounts on a Windows 2000 Server (NOT DOMAIN)
Hello Experts,
I am hoping someone can assist me with this challenge I am facing. I have a Windows 2000 Server which is just a member server part of a DOMAIN. It has about 200 LOCAL computer users which are used to only authenticate into a special group of users to use an application running on this server. I need to find a way to run a utility or a script which can tell me the LAST LOGON TIME for the LOCAL users only. This is to allow us to perform audit administration. Please note, this is not a script or a tool for AD or the DOMAIN, it is only for the local computer/server accounts.
I would appreciate anyone's assistance on this matter. Thank You
I am hoping someone can assist me with this challenge I am facing. I have a Windows 2000 Server which is just a member server part of a DOMAIN. It has about 200 LOCAL computer users which are used to only authenticate into a special group of users to use an application running on this server. I need to find a way to run a utility or a script which can tell me the LAST LOGON TIME for the LOCAL users only. This is to allow us to perform audit administration. Please note, this is not a script or a tool for AD or the DOMAIN, it is only for the local computer/server accounts.
I would appreciate anyone's assistance on this matter. Thank You
ASKER
Sirbounty, thanks for your quick response. I have a couple of questions;
1) How do I run this script on the Windows 2000 Server?
2) If I run this script, is there a way to specify it to show me the last logon time before 90 and prior?
3) Does anything like logon event auditing have to be turned ON or can I run this script now and get history information?
Thanks for your assistance.
1) How do I run this script on the Windows 2000 Server?
2) If I run this script, is there a way to specify it to show me the last logon time before 90 and prior?
3) Does anything like logon event auditing have to be turned ON or can I run this script now and get history information?
Thanks for your assistance.
1) Save it as FindLogons.vbs and double-click it to run ( you didn't specify needed output, so this just displays it on screen)
2) Um, could probably adjust it to something like that, I think... Consider this post my 'feeler' to establish what you were after exactly. I thought it'd be close, but was prepared to tweak it as well... ;)
3) If I'm not mistaken, I think that may be enabled by default. Click Start->Run->Eventvwr <Enter> - check the security logs - you can sort by event id...see if there are any 540s in there...
2) Um, could probably adjust it to something like that, I think... Consider this post my 'feeler' to establish what you were after exactly. I thought it'd be close, but was prepared to tweak it as well... ;)
3) If I'm not mistaken, I think that may be enabled by default. Click Start->Run->Eventvwr <Enter> - check the security logs - you can sort by event id...see if there are any 540s in there...
ASKER
Sirbounty,
When I run the FindLogons.vbs on my XP Pro SP2 machine, I get an error with the script, "Line: 1" and "Char 1" Error: Invalid Character, Source: Compilation Error.
i'm not sure why.
If possible, I would like to find a way to be able to specify a # for the last time users logged in. E.g. How many users have not logged into the server in the last 100 days?
When I run the FindLogons.vbs on my XP Pro SP2 machine, I get an error with the script, "Line: 1" and "Char 1" Error: Invalid Character, Source: Compilation Error.
i'm not sure why.
If possible, I would like to find a way to be able to specify a # for the last time users logged in. E.g. How many users have not logged into the server in the last 100 days?
You can remove that - though I'm not sure either..
Dim objWMI should be 'valid'... : \
Dim objWMI should be 'valid'... : \
ASKER
I tried running the script with the first line and without but after i run it, it just sits there and doesn't really go anywhere. Any suggestions?
Checking it out now - looks like I was mistaken. Apparently it's a 528 for 'local' logon...
Try this version...the intDays is your days since logon.
Dim objNet: Set objNet = CreateObject("Wscript.Netw ork")
Set colUsers = GetObject("WinNT://" & objNet.ComputerName)
colUsers.Filter = Array("user")
intDays=90
intLogonID = 528 'Event ID for successful logon
For Each objUser In colUsers
Set objWMI = GetObject("winmgmts:{imper sonationLe vel=impers onate,(Sec urity)}!\\ .\root\cim v2")
strQry = "Select * from Win32_NTLogEvent Where EventCode=" & intLogonID
Set colEvents = objWMI.ExecQuery(strQry)
For Each objItem In colEvents
If Instr(objItem.User, objUser.Name) > 0 Then
strDate=Mid(objItem.TimeWr itten,5,2) & "/" & Mid(objItem.TimeWritten,7, 2) & "/" & left(objItem.TimeWritten,4 )
If dateDiff("d",strDate,Date) > intDays Then
wscript.echo "It's been more than " & intDays & " since " & objUser.Name & " logged onto this machine."
Next
Next
Dim objNet: Set objNet = CreateObject("Wscript.Netw
Set colUsers = GetObject("WinNT://" & objNet.ComputerName)
colUsers.Filter = Array("user")
intDays=90
intLogonID = 528 'Event ID for successful logon
For Each objUser In colUsers
Set objWMI = GetObject("winmgmts:{imper
strQry = "Select * from Win32_NTLogEvent Where EventCode=" & intLogonID
Set colEvents = objWMI.ExecQuery(strQry)
For Each objItem In colEvents
If Instr(objItem.User, objUser.Name) > 0 Then
strDate=Mid(objItem.TimeWr
If dateDiff("d",strDate,Date)
wscript.echo "It's been more than " & intDays & " since " & objUser.Name & " logged onto this machine."
Next
Next
ASKER
Hi SirBounty,
I get the following error;
Line: 17
Char: 3
Error: Unexpected 'Next'
Code: 800A041F
Source: Microsoft VBScript compilation error
I get the following error;
Line: 17
Char: 3
Error: Unexpected 'Next'
Code: 800A041F
Source: Microsoft VBScript compilation error
As sirbounty appears to be in bed or something .. From my basic VBS knowledge I imagine te two IF commands on the end have gone into your vbs text file as too lines. Make sure the wscript.echo bit is on the end of the previous line (with a space after the THEN) and the same for the strDate bit.
If not I'm sure sirbounty will be along anyway, was just passing...
Steve
If not I'm sure sirbounty will be along anyway, was just passing...
Steve
Thanx Steve...I really dislike the wrapping on the new site.
Let's try it by closing off the two if lines...
Dim objNet: Set objNet = CreateObject("Wscript.Netw ork")
Set colUsers = GetObject("WinNT://" & objNet.ComputerName)
colUsers.Filter = Array("user")
intDays=90
intLogonID = 528 'Event ID for successful logon
For Each objUser In colUsers
Set objWMI = GetObject("winmgmts:{imper sonationLe vel=impers onate,(Sec urity)}!\\ .\root\cim v2")
strQry = "Select * from Win32_NTLogEvent Where EventCode=" & intLogonID
Set colEvents = objWMI.ExecQuery(strQry)
For Each objItem In colEvents
If Instr(objItem.User, objUser.Name) > 0 Then
strDate=Mid(objItem.TimeWr itten,5,2) & "/" & Mid(objItem.TimeWritten,7, 2) & "/" & left(objItem.TimeWritten,4 )
If dateDiff("d",strDate,Date) > intDays Then
wscript.echo "It's been more than " & intDays & " since " & objUser.Name & " logged onto this machine."
End If
End If
Next
Next
Let's try it by closing off the two if lines...
Dim objNet: Set objNet = CreateObject("Wscript.Netw
Set colUsers = GetObject("WinNT://" & objNet.ComputerName)
colUsers.Filter = Array("user")
intDays=90
intLogonID = 528 'Event ID for successful logon
For Each objUser In colUsers
Set objWMI = GetObject("winmgmts:{imper
strQry = "Select * from Win32_NTLogEvent Where EventCode=" & intLogonID
Set colEvents = objWMI.ExecQuery(strQry)
For Each objItem In colEvents
If Instr(objItem.User, objUser.Name) > 0 Then
strDate=Mid(objItem.TimeWr
If dateDiff("d",strDate,Date)
wscript.echo "It's been more than " & intDays & " since " & objUser.Name & " logged onto this machine."
End If
End If
Next
Next
ASKER
When I run this script, nothing really happens. I've tried it from command prompt "wscript findlogons.vbs" and i've also just tried double-clicking it but nothing happens. I am doing this on a Win XP Pro machine. Do I have to do it on the Windows 2000 server?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Colosseo,
Thanks for your response, this script almost works perfect. Can you please clarify what "NOT FOUND" actually means? Also, what would it show if the user has never logged in? Thanks!
Thanks for your response, this script almost works perfect. Can you please clarify what "NOT FOUND" actually means? Also, what would it show if the user has never logged in? Thanks!
NOT FOUND (which can be changed to any message you like) means that there was no LastLogin property for this user object.
Effectively if a user returns NOT FOUND it means the user has never logged in
Scott
Effectively if a user returns NOT FOUND it means the user has never logged in
Scott
Dim objWMI
Dim objNet: Set objNet = CreateObject("Wscript.Netw
Dim colUsers: Set colUsers = GetObject("WinNT://" & objNet.ComputerName)
colUsers.Filter = Array("user")
intLogonID = 540 'Event ID for successful logon
For Each objUser In colUsers
Set objWMI = GetObject("winmgmts:{imper
strQry = "Select * from Win32_NTLogEvent Where EventCode='" & intLogonID & "' And User='" & objUser.Name & "'"
Set colEvents = objWMI.ExecQuery(strQry)
For Each objItem In colEvents
wscript.echo objItem.SourceName, objItem.EventCode, objItem.Type, objItem.User
wscript.echo objItem.Message
Next
Next