seeing who logged in

Posted on 2012-08-13
Last Modified: 2012-08-17
i am running 2008 r2 native mode active directory
whats the best way to see who logged in....

i know the event viewer but no hits are coming up when i plug in user names
Question by:jamesmetcalf74
    LVL 2

    Expert Comment

    by:Sergey Kolesnik
    you may obtain it here:
    LVL 12

    Accepted Solution

    You can use this script to retrieve specific events from the Event Log:

    Here is some information on the Event ID's for logon/logoff events and tracking these activities:
    LVL 12

    Assisted Solution

    Do you want to see who authenticated to active directory?  For example to find the users that haven't logged on in the past 90 days?  If so, then last logon is an attribute that can be checked (there's actually 2 attributes related, but only 1 gets replicated, the other is stored on each DC).

    Or, are you trying to determine who connected to a specific server?

    Author Comment

    im just trying to find out if someone came into work and logged into their computer over the weekend.
    i dont want to go onto their machine and look at the event logs.
    i need to go to the event viewer on the domain controller
    LVL 12

    Assisted Solution

    Well if you want to verify when the user logged on last, here's a vbscript that will report the most recent lastlogontimestamp.  This should give you what you want without having to review any event logs.

    You run it like this (from a CMD window - it's a command line script):
    cscript LastUserLogon.vbs domainname\UserID

    It uses the NT style domain name and userID.

    Save the attached code as LastUserLogon.vbs.  You should also be a domain admin when you run this.

    On Error Resume Next
    strPath = left(wscript.ScriptFullName, len(wscript.ScriptFullName) - len(wscript.ScriptName))
    FullSamName = Split(wscript.arguments(0), "\")
    strDom = FullSamName(0)
    strNTName = wscript.arguments(0)
    Const ADS_NAME_TYPE_NT4 = 3
    Const ADS_NAME_TYPE_1779 = 1
    Set objTrans = CreateObject("NameTranslate")
    objTrans.Init ADS_NAME_INITTYPE_GC, ""
    objTrans.Set ADS_NAME_TYPE_NT4, strNTName
    ' Use the Get method to retrieve the RPC 1779 Distinguished Name.
    strUserDN = objTrans.Get(ADS_NAME_TYPE_1779)
    strUserDN = Replace(strUserDN, "/", "\/")
    wscript.echo strUserDN
    LastLog = #1/1/1601#
    'Get TimeZone offsets
    strComputer = "."
    Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
    Set colTimeZones = objWMIService.ExecQuery("Select * From Win32_TimeZone")
    For Each objTimeZone in colTimeZones
    	intTimeZoneBias = objTimeZone.Bias
    	intDaylightBias = objTimeZone.DaylightBias
    Set objRootDSE = GetObject("LDAP://RootDSE")
    strConfigurationNC = objRootDSE.Get("configurationNamingContext")
    Set objConnection = CreateObject("ADODB.Connection")
    Set objCommand =   CreateObject("ADODB.Command")
    objConnection.Provider = "ADsDSOObject"
    objConnection.Open "Active Directory Provider"
    Set objCommand.ActiveConnection = objConnection
    objCommand.Properties("Page Size") = 1000
    objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE 
    objCommand.CommandText = _
    	"SELECT ADsPath FROM 'LDAP://" & strConfigurationNC & "' WHERE objectClass='nTDSDSA'"  
    Set objRecordSet = objCommand.Execute
    'Get lastlogon from each DC and find newest
    Do Until objRecordSet.EOF
    	Set objParent = GetObject(GetObject(objRecordset.Fields("ADsPath")).Parent)
    	strDCName = objParent.dnsHostName
    	Set objUser = GetObject _
    		("LDAP://" & strDCName & "/" & strUserDN)
    	Set objLastLogon = objUser.Get("lastLogon")
    	Set objLastLogonTS = objUser.Get("lastLogonTimestamp")
    	intLastLogonTime = objLastLogon.HighPart * (2^32) + objLastLogon.LowPart 
    	intLastLogonTime = intLastLogonTime / (60 * 10000000)
    	intLastLogonTime = intLastLogonTime / 1440
    	dtmLastLogon = intLastLogonTime + #1/1/1601#
    	dtmLastLogon = DateAdd("n", intTimeZoneBias, dtmLastLogon)
    	dtmLastLogon = DateAdd("n", intDaylightBias, dtmLastLogon)
    	intLastLogonTimeTS = objLastLogonTS.HighPart * (2^32) + objLastLogonTS.LowPart 
    	intLastLogonTimeTS = intLastLogonTimeTS / (60 * 10000000)
    	intLastLogonTimeTS = intLastLogonTimeTS / 1440
    	dtmLastLogonTS = intLastLogonTimeTS + #1/1/1601#
    	dtmLastLogonTS = DateAdd("n", intTimeZoneBias, dtmLastLogonTS)
    	dtmLastLogonTS = DateAdd("n", intDaylightBias, dtmLastLogonTS)
    	wscript.echo "  " & strDCName & " reports " & dtmLastLogon & " as last logon"
    	wscript.echo "  " & strDCName & " reports " & dtmLastLogonTS & " as last logonTimeStamp"
    	If dtmLastLogonTS > dtmLastLogon Then dtmLastLogon = dtmLastLogonTS
    	If dtmLastLogon > LastLog Then
    		LastLog = dtmLastLogon
    	End If
    wscript.echo "Final choice = " & LastLog
    If Instr(LastLog, " ") > 0 Then
    	LLArray=Split(LastLog, " ")
    End If
    	AccountStatus = "disabled"
    	AccountStatus = "enabled"
    End If
    LogInfo=FullSamName(1) & ";" & strUserDN & ";" & LastLog & ";" & AccountStatus
    wscript.echo LogInfo
    z=LogMe(LogInfo, LogFile)
    Function LogMe(LogInfo, LogFile)
    	Set mdlfso = CreateObject("Scripting.FileSystemObject")
    	Set mtf = mdlfso.OpenTextFile(LogFile, 8, True)
    	mtf.WriteLine (LogInfo)
    End Function

    Open in new window

    LVL 12

    Expert Comment

    FYI: That script also generates a text log file call LastUserLogon.log.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    This is a little timesaver I have been using for setting up Microsoft Small Business Server (SBS) in the simplest possible way. It may not be appropriate for every customer. However, when you get a situation where the person who owns the server is i…
    The password reset disk is often mentioned as the best solution to deal with the lost Windows password problem. In Windows 2008, 7, Vista and XP, a password reset disk can be easily created. But besides Windows 7/Vista/XP, Windows Server 2008 and ot…
    In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
    With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    9 Experts available now in Live!

    Get 1:1 Help Now