Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 584
  • Last Modified:

Finding if a PC is locked

Hi,

I have been trying a way to find out if a PC is locked or not, I can easily find out if the PC has someone logged onto it and who that user is using VBS, but I am unable to find any way to see if the PC has been locked

I want to be able to log who is leaving their PCs logged on and who locks them overnight

Any help would be appreciated
0
dgewin
Asked:
dgewin
  • 3
  • 3
1 Solution
 
ScottyworldCommented:
What OS are you using ?
Vista and Windows 7 have security log event ID of 4800 when the w/s gets locked, and a corresponding ID of 4801 when it is unlocked.
You could maybe code the vbs to check the security logs for these events ???

I don't think Win XP records the difference between a logoff and/or a lock, which is event ID 528/538, although it you're not bothered about distinguishing, then you could do the same again.

Or you could just use a GPO to configure the screensaver to force the workstation to lock after a period of inactivity and require a password on resume (thats how we handle it in our organisation)
0
 
dgewinAuthor Commented:
I am using 99% windows 7, so I may look into that option.

Where are these events located, I have looked at the Security events and cant find them?

Its not an issue of having to have them locked as I am shutting them down anyhow, I just want to know for reporting reasons who is leaving them unlocked when they go home
0
 
ScottyworldCommented:
How to find these:
At the run command, type: eventvwr <enter>
The logs you want to look at are located under:
Windows Logs > Security

Event ID: 4801/4800
Task Catagory: Other Logon/Logoff
0
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

 
dgewinAuthor Commented:
That is where I thought it would be, I am running Windows 7 and have no event IDs that are 4800/4801

All my logon and logoff ones are 4624/4634 etc

I lock and unlock my PC frequently

Perhaps I am missing something?
0
 
ScottyworldCommented:
It could be that the auditing of these events is not switched on.
Open gpedit.msc on your local machine, and go to:
Computer configuration > Windows Settings > Security Settings > Local Policies > Audit Policy

Make sure you have successful auditing on "Audit logon events"
The default setting for Other Logon/Logoff Events is "No Auditing"

Alternatively, this may be defined by your corporate group policy so you may need to check there (if you have access to it)
0
 
dgewinAuthor Commented:
Thanks, I will have to have a play around with the scripting side to see if it will do what I want now
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now