Link to home
Start Free TrialLog in
Avatar of aristosv
aristosvFlag for Cyprus

asked on

Where is this user logged in?

Here's the problem:

- The User log's-in with remote desktop on multiple servers.
- Instead of logging off, he simply disconnects his sessions.
- He changes his Active Directory password on one of the servers he is logged in.
- The servers he is disconnected from, send his old credentials to the domain controllers.
- The domain controllers lock the user's accounts.

Now, I need to find out on which servers this user is logged in because I need to log him off from all of them, to stop the account locking.

How can I do that? How can I see on which servers this user is logged in?
Avatar of Krzysztof Pytko
Krzysztof Pytko
Flag of Poland image

You cannot until those servers are not in Terminal/Remote Desktop Services. There is no centralized tool for that in Windows. You need to check each server/workstation manually.

For that you can use qwinsta command with /server switch to access remote servers.

Avatar of aristosv


I cannot access each server one by one. There are hundreds of them. I need something to scan them all, and tell me on which servers the user is logged in. They are in different vlans also.
Another option for that is to use PsLoggedOn free SysInternals tool

and use that in script

Do you have a script ready?
Or can you provide instruction on how to make one?
I can help you with that. Do you want to see servers or workstations ?
Can you provide me OU location of them please? I will create a script for you

It will have to scan servers and workstations both. I cannot provide an OU because of confidentiality issues, but you can put an example and i will modify it

or you can use event comb to look for the lock out event and check the source - that will help you

just need to look to the DC's and that will point you at server they are logged onto
Follow the below steps which will give the computer which locks the user account.

Run the LockoutStatus.exe and select the user id on the tool ( to download the exe), which will give the DC from which the user account are get authenticated.

Perform the below step on the DC

1.On Domain Controller open Event Viewer and select Security Logs, Right Click and select Filter Current Log
2. In the Filter Current Log Window, select XML tab and select the Check Box that says "Edit Query Manually"
3. Once this Check Box is selected, you will be able to edit the XML tags in the window. Type the following text in that box and hit OK
<Query Id="0" Path="Security">
<Select Path="Security">*[System[(EventID=4771)]]and *[EventData[Data[1]='LAN ID']] </Select>
3. Now you will see only events related to the failed logon attempts for that user on that DC
4. From the Events, you can get the IP address of the client from where the Authentication was requested.Check if any session for the user is active and kill the session Or disconnect the Map drive which has been mapped to that server.
I do not have access on the domain controller event logs.
can you get someone with access to the event logs to help you

or give you permissions to check them

without that you are going to struggle to do a lot of these things as the required Admin rights
The idea is not to bother the people with access. I can login on all the machines as an administrator. But not on the domain controllers.
without access to the DC's most of the easy ways aren't going to work

how many servers are we talking about as you could add them to a RDP connection manager - only need to do that once and then you could see where the disconnected sessions are
OK, then try to use this way (you need to have Administrative/RSAT Tools installed on your computer) or log on to any Windows Server 2003 and type this in command-line.

first, create a folder to which you put results on C-Drive i.e. SERVERS

dsquery computer -name * -limit 0 | dsget computer -samid | find /v "dsget" | find /v "samid" >>c:\servers.txt

Open in new window

this exports all servers/workstations names into text file. Now use the second script to get information about used sessions on them

for /f %i in (c:\servers.txt) do qwinsta /SERVER:%i >c:\servers\%i.log

Open in new window

each server will save information on C-Drive in folder SERVERS a text file with its name and active/inactive RDP sessions

Thats not going to help either. We are talking about more than 1500 machines. If the resulting data were put in a single file then maybe i could search for the username. But seperate files dont help.
So, replace previous command by this one

for /f %i in (c:\servers.txt) do qwinsta /SERVER:%i >>c:\servers\user.log

Open in new window

that would be in a single file

It seems that in order to install RSAT Tools I need a Windows Vista or Windows 7 machine, which I do not. And if I want one, I have to justify the cost. Which is a process I do not want to go through.

I have Windows XP. Can we find a solution for that?
QWINSTA is available in XP but to be able to use Microsoft DSTools, you need to install Administrative Tools on your XP machine

Please provide instructions on how to use the QWINSTA tool. I have 1500 machines, servers and workstations and I need to find on which of these machines is a specific user logged in.
Avatar of Krzysztof Pytko
Krzysztof Pytko
Flag of Poland image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Use UserLocator:

It will tell you where a user is logged in.