Solved

Last Login Information for Both Local Users and Domain Users to a Particular Windows 2003 Server

Posted on 2011-02-12
4
4,847 Views
Last Modified: 2012-05-11
My company is working to meet the requirements of security audit being conducted by a third-party.  One of the requirements is to provide a list of all of the users that have accessed a particular Windows 2003 server and their last login date and time.

The Windows 2003 server,  in question, is not a domain controller.  It is simply a member of the domain.  The third-party auditor wants a list of local users (from the server's local domain) and domain users that have logged into this server along with their last login date and time.

I realize I can get this information from the Event Viewer (under Security), but I would prefer not to have to parse out the entire security log for each user's (local or domain) last login information.

It's important to note that this server is just a Web server that belongs to our domain.  It is not a domain controller.  Also, the auditors do not want a list of users' last login information to the domain.  That information is easy to provide with AD tools or VBScript.

I found a VBScript that provides the last login information for local users to the Windows 2003 server.  It's very simple and does a good job with the local users of the Windows 2003 server.  The script is as follows:

Option Explicit
Dim objWMIService, colItems, WshNetwork, strComputer
Dim objUser, objItem, dtmLastLogin, strLogonInfo
Set WshNetwork = CreateObject("Wscript.Network")
strComputer = WshNetwork.ComputerName

Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colItems = objWMIService.ExecQuery _
("Select * from Win32_UserAccount Where Domain = '" & strComputer & "'")

For Each objItem in colItems
      dtmLastLogin = ""
      On Error Resume Next
      Set objUser = GetObject("WinNT://" & strComputer _
          & "/" & objItem.Name & ",user")
      dtmLastLogin = objUser.lastLogin
      On Error Goto 0

      strLogonInfo = strLogonInfo & vbCrLf & objItem.Name & ": " & dtmLastLogin
Next
MsgBox strLogonInfo, vbOKOnly + vbInformation, "Last Logon Information for Local Users"

I can easily modify this script to write information to a log file.  And, it works great for "local users".  But, what I need is a way to collect last login information for domain users that have logged into the machine via Remote Desktop, VMWare Infrastructure Client, etc.  We have several authorized IT team members whose domain accounts are members of the Windows 2003 server's local Administrator's group.  We also have a domain admin that remotely logs into this computer via Remote Desktop or VMWare Infrastructure Client.

So, I want to capture the last login information for the local users and the domain users that login to this server.  The above VBScript works just fine for the local users.  It does not capture information for the domain users.

I've searched for scripts that collect the last login information, but I can only find the above script or scripts that provide last login information for users when they authenticate to the domain (not the actual Windows 2003 server).

I'm hoping someone can direct me how to collect last login information for both local users and domain users that remotely login to a Windows 2003 server (a domain member server / not a domain contrroller).  A VBScript or PowerShell script would be wonderful.  Any other methods besides parsing the Event Viewer's Security log would also be welcome.

Many thanks in advance for your consideration!
0
Comment
Question by:gcrickman
4 Comments
 
LVL 11

Expert Comment

by:Renato Montenegro Rustice
ID: 34881130
I cant see a way to gather this information without parsing the sec log. It's possible to script that task, but does this information exist in the log? If you dont have the necessary auditing turned on, you won't be able to gather the information.
0
 
LVL 17

Expert Comment

by:chuku
ID: 34881140
event viewer will only show you who tried to access but it doesn't mean you see everyone who's got access to each directory in the file server
I'm working for a broker-dealer and we have to comply wit htons of regulation and audits. we're using a software that let you see which users have access to each directory - both domain users and local. it is called varonis and I can't imagine us passing audits without it...
0
 
LVL 5

Accepted Solution

by:
balmasri earned 500 total points
ID: 34882277
0
 

Author Closing Comment

by:gcrickman
ID: 34883515
NetUsers works great!  I'm going to combine it with a VBScript that gathers information on local systems accounts.  Many, many thanks!
0

Join & Write a Comment

Deploying a Microsoft Access application in a Citrix environment is not difficult but takes a few steps. However, Citrix system people are often of little help, as they typically know next to nothing about Access. The script provided here will take …
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now