Avatar of aristosv
aristosv
Flag for Cyprus asked on

Where is this user logged in?

Here's the problem:

- The User log's-in with remote desktop on multiple servers.
- Instead of logging off, he simply disconnects his sessions.
- He changes his Active Directory password on one of the servers he is logged in.
- The servers he is disconnected from, send his old credentials to the domain controllers.
- The domain controllers lock the user's accounts.

Now, I need to find out on which servers this user is logged in because I need to log him off from all of them, to stop the account locking.

How can I do that? How can I see on which servers this user is logged in?
Windows Server 2008Active DirectoryWindows OS

Avatar of undefined
Last Comment
deroode

8/22/2022 - Mon
Krzysztof Pytko

You cannot until those servers are not in Terminal/Remote Desktop Services. There is no centralized tool for that in Windows. You need to check each server/workstation manually.

For that you can use qwinsta command with /server switch to access remote servers.

Regards,
Krzysztof
aristosv

ASKER
I cannot access each server one by one. There are hundreds of them. I need something to scan them all, and tell me on which servers the user is logged in. They are in different vlans also.
Krzysztof Pytko

Another option for that is to use PsLoggedOn free SysInternals tool
http://technet.microsoft.com/en-us/sysinternals/bb897545.aspx

and use that in script

Krzysztof
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
aristosv

ASKER
Do you have a script ready?
Or can you provide instruction on how to make one?
Krzysztof Pytko

I can help you with that. Do you want to see servers or workstations ?
Can you provide me OU location of them please? I will create a script for you

Krzysztof
aristosv

ASKER
It will have to scan servers and workstations both. I cannot provide an OU because of confidentiality issues, but you can put an example and i will modify it

Thanks
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Chris

or you can use event comb to look for the lock out event and check the source - that will help you

http://support.microsoft.com/kb/824209

just need to look to the DC's and that will point you at server they are logged onto
Venugopal N

Follow the below steps which will give the computer which locks the user account.

Run the LockoutStatus.exe and select the user id on the tool ( http://www.microsoft.com/en-us/download/details.aspx?id=18465 to download the exe), which will give the DC from which the user account are get authenticated.

Perform the below step on the DC

1.On Domain Controller open Event Viewer and select Security Logs, Right Click and select Filter Current Log
2. In the Filter Current Log Window, select XML tab and select the Check Box that says "Edit Query Manually"
3. Once this Check Box is selected, you will be able to edit the XML tags in the window. Type the following text in that box and hit OK
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[(EventID=4771)]]and *[EventData[Data[1]='LAN ID']] </Select>
</Query>
</QueryList>
3. Now you will see only events related to the failed logon attempts for that user on that DC
4. From the Events, you can get the IP address of the client from where the Authentication was requested.Check if any session for the user is active and kill the session Or disconnect the Map drive which has been mapped to that server.
aristosv

ASKER
I do not have access on the domain controller event logs.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
Chris

can you get someone with access to the event logs to help you

or give you permissions to check them

without that you are going to struggle to do a lot of these things as the required Admin rights
aristosv

ASKER
The idea is not to bother the people with access. I can login on all the machines as an administrator. But not on the domain controllers.
Chris

without access to the DC's most of the easy ways aren't going to work

how many servers are we talking about as you could add them to a RDP connection manager - only need to do that once and then you could see where the disconnected sessions are
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Krzysztof Pytko

OK, then try to use this way (you need to have Administrative/RSAT Tools installed on your computer) or log on to any Windows Server 2003 and type this in command-line.

first, create a folder to which you put results on C-Drive i.e. SERVERS

dsquery computer -name * -limit 0 | dsget computer -samid | find /v "dsget" | find /v "samid" >>c:\servers.txt

Open in new window


this exports all servers/workstations names into text file. Now use the second script to get information about used sessions on them

for /f %i in (c:\servers.txt) do qwinsta /SERVER:%i >c:\servers\%i.log

Open in new window


each server will save information on C-Drive in folder SERVERS a text file with its name and active/inactive RDP sessions

Krzysztof
aristosv

ASKER
Thats not going to help either. We are talking about more than 1500 machines. If the resulting data were put in a single file then maybe i could search for the username. But seperate files dont help.
Krzysztof Pytko

So, replace previous command by this one

for /f %i in (c:\servers.txt) do qwinsta /SERVER:%i >>c:\servers\user.log

Open in new window


that would be in a single file

Krzysztof
Your help has saved me hundreds of hours of internet surfing.
fblack61
Chris

Chris

aristosv

ASKER
It seems that in order to install RSAT Tools I need a Windows Vista or Windows 7 machine, which I do not. And if I want one, I have to justify the cost. Which is a process I do not want to go through.

I have Windows XP. Can we find a solution for that?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Krzysztof Pytko

QWINSTA is available in XP but to be able to use Microsoft DSTools, you need to install Administrative Tools on your XP machine
http://www.microsoft.com/en-us/download/details.aspx?id=7045

Krzysztof
aristosv

ASKER
Please provide instructions on how to use the QWINSTA tool. I have 1500 machines, servers and workstations and I need to find on which of these machines is a specific user logged in.
ASKER CERTIFIED SOLUTION
Krzysztof Pytko

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
deroode

Use UserLocator:

http://www.motivatesystems.com/User_Locator.asp

It will tell you where a user is logged in.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23