Where is this user logged in?

aristosv
aristosv used Ask the Experts™
on
Here's the problem:

- The User log's-in with remote desktop on multiple servers.
- Instead of logging off, he simply disconnects his sessions.
- He changes his Active Directory password on one of the servers he is logged in.
- The servers he is disconnected from, send his old credentials to the domain controllers.
- The domain controllers lock the user's accounts.

Now, I need to find out on which servers this user is logged in because I need to log him off from all of them, to stop the account locking.

How can I do that? How can I see on which servers this user is logged in?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Krzysztof PytkoSenior Active Directory Engineer
Top Expert 2012

Commented:
You cannot until those servers are not in Terminal/Remote Desktop Services. There is no centralized tool for that in Windows. You need to check each server/workstation manually.

For that you can use qwinsta command with /server switch to access remote servers.

Regards,
Krzysztof

Author

Commented:
I cannot access each server one by one. There are hundreds of them. I need something to scan them all, and tell me on which servers the user is logged in. They are in different vlans also.
Krzysztof PytkoSenior Active Directory Engineer
Top Expert 2012

Commented:
Another option for that is to use PsLoggedOn free SysInternals tool
http://technet.microsoft.com/en-us/sysinternals/bb897545.aspx

and use that in script

Krzysztof
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Do you have a script ready?
Or can you provide instruction on how to make one?
Krzysztof PytkoSenior Active Directory Engineer
Top Expert 2012

Commented:
I can help you with that. Do you want to see servers or workstations ?
Can you provide me OU location of them please? I will create a script for you

Krzysztof

Author

Commented:
It will have to scan servers and workstations both. I cannot provide an OU because of confidentiality issues, but you can put an example and i will modify it

Thanks
ChrisLead Infrastructure Architect

Commented:
or you can use event comb to look for the lock out event and check the source - that will help you

http://support.microsoft.com/kb/824209

just need to look to the DC's and that will point you at server they are logged onto
Follow the below steps which will give the computer which locks the user account.

Run the LockoutStatus.exe and select the user id on the tool ( http://www.microsoft.com/en-us/download/details.aspx?id=18465 to download the exe), which will give the DC from which the user account are get authenticated.

Perform the below step on the DC

1.On Domain Controller open Event Viewer and select Security Logs, Right Click and select Filter Current Log
2. In the Filter Current Log Window, select XML tab and select the Check Box that says "Edit Query Manually"
3. Once this Check Box is selected, you will be able to edit the XML tags in the window. Type the following text in that box and hit OK
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[(EventID=4771)]]and *[EventData[Data[1]='LAN ID']] </Select>
</Query>
</QueryList>
3. Now you will see only events related to the failed logon attempts for that user on that DC
4. From the Events, you can get the IP address of the client from where the Authentication was requested.Check if any session for the user is active and kill the session Or disconnect the Map drive which has been mapped to that server.

Author

Commented:
I do not have access on the domain controller event logs.
ChrisLead Infrastructure Architect

Commented:
can you get someone with access to the event logs to help you

or give you permissions to check them

without that you are going to struggle to do a lot of these things as the required Admin rights

Author

Commented:
The idea is not to bother the people with access. I can login on all the machines as an administrator. But not on the domain controllers.
ChrisLead Infrastructure Architect

Commented:
without access to the DC's most of the easy ways aren't going to work

how many servers are we talking about as you could add them to a RDP connection manager - only need to do that once and then you could see where the disconnected sessions are
Krzysztof PytkoSenior Active Directory Engineer
Top Expert 2012

Commented:
OK, then try to use this way (you need to have Administrative/RSAT Tools installed on your computer) or log on to any Windows Server 2003 and type this in command-line.

first, create a folder to which you put results on C-Drive i.e. SERVERS

dsquery computer -name * -limit 0 | dsget computer -samid | find /v "dsget" | find /v "samid" >>c:\servers.txt

Open in new window


this exports all servers/workstations names into text file. Now use the second script to get information about used sessions on them

for /f %i in (c:\servers.txt) do qwinsta /SERVER:%i >c:\servers\%i.log

Open in new window


each server will save information on C-Drive in folder SERVERS a text file with its name and active/inactive RDP sessions

Krzysztof

Author

Commented:
Thats not going to help either. We are talking about more than 1500 machines. If the resulting data were put in a single file then maybe i could search for the username. But seperate files dont help.
Krzysztof PytkoSenior Active Directory Engineer
Top Expert 2012

Commented:
So, replace previous command by this one

for /f %i in (c:\servers.txt) do qwinsta /SERVER:%i >>c:\servers\user.log

Open in new window


that would be in a single file

Krzysztof
ChrisLead Infrastructure Architect

Commented:

Author

Commented:
It seems that in order to install RSAT Tools I need a Windows Vista or Windows 7 machine, which I do not. And if I want one, I have to justify the cost. Which is a process I do not want to go through.

I have Windows XP. Can we find a solution for that?
Krzysztof PytkoSenior Active Directory Engineer
Top Expert 2012

Commented:
QWINSTA is available in XP but to be able to use Microsoft DSTools, you need to install Administrative Tools on your XP machine
http://www.microsoft.com/en-us/download/details.aspx?id=7045

Krzysztof

Author

Commented:
Please provide instructions on how to use the QWINSTA tool. I have 1500 machines, servers and workstations and I need to find on which of these machines is a specific user logged in.
Senior Active Directory Engineer
Top Expert 2012
Commented:
Everything is given in my previous post above. Just download and install Administrative Tools, run dsquery to get computers and then run loop with qwinsta to get required information.

I will re-post it once again here

All computers list
dsquery computer -name * -limit 0 | dsget computer -samid | find /v "dsget" | find /v "samid" >>c:\servers.txt

Open in new window


QWINSTA
for /f %i in (c:\servers.txt) do qwinsta /SERVER:%i >>c:\servers\user.log

Open in new window


Krzysztof
deroodeSystems Administrator

Commented:
Use UserLocator:

http://www.motivatesystems.com/User_Locator.asp

It will tell you where a user is logged in.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial