• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 583
  • Last Modified:

Finding if a PC is locked

Hi,

I have been trying a way to find out if a PC is locked or not, I can easily find out if the PC has someone logged onto it and who that user is using VBS, but I am unable to find any way to see if the PC has been locked

I want to be able to log who is leaving their PCs logged on and who locks them overnight

Any help would be appreciated
0
dgewin
Asked:
dgewin
  • 3
  • 3
1 Solution
 
ScottyworldCommented:
What OS are you using ?
Vista and Windows 7 have security log event ID of 4800 when the w/s gets locked, and a corresponding ID of 4801 when it is unlocked.
You could maybe code the vbs to check the security logs for these events ???

I don't think Win XP records the difference between a logoff and/or a lock, which is event ID 528/538, although it you're not bothered about distinguishing, then you could do the same again.

Or you could just use a GPO to configure the screensaver to force the workstation to lock after a period of inactivity and require a password on resume (thats how we handle it in our organisation)
0
 
dgewinAuthor Commented:
I am using 99% windows 7, so I may look into that option.

Where are these events located, I have looked at the Security events and cant find them?

Its not an issue of having to have them locked as I am shutting them down anyhow, I just want to know for reporting reasons who is leaving them unlocked when they go home
0
 
ScottyworldCommented:
How to find these:
At the run command, type: eventvwr <enter>
The logs you want to look at are located under:
Windows Logs > Security

Event ID: 4801/4800
Task Catagory: Other Logon/Logoff
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
dgewinAuthor Commented:
That is where I thought it would be, I am running Windows 7 and have no event IDs that are 4800/4801

All my logon and logoff ones are 4624/4634 etc

I lock and unlock my PC frequently

Perhaps I am missing something?
0
 
ScottyworldCommented:
It could be that the auditing of these events is not switched on.
Open gpedit.msc on your local machine, and go to:
Computer configuration > Windows Settings > Security Settings > Local Policies > Audit Policy

Make sure you have successful auditing on "Audit logon events"
The default setting for Other Logon/Logoff Events is "No Auditing"

Alternatively, this may be defined by your corporate group policy so you may need to check there (if you have access to it)
0
 
dgewinAuthor Commented:
Thanks, I will have to have a play around with the scripting side to see if it will do what I want now
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now