• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 291
  • Last Modified:

seeing who logged in

i am running 2008 r2 native mode active directory
whats the best way to see who logged in....

i know the event viewer but no hits are coming up when i plug in user names
0
jamesmetcalf74
Asked:
jamesmetcalf74
3 Solutions
 
Sergey KolesnikCommented:
>nbtscan 192.168.0.100-200
you may obtain it here: http://unixwiz.net/tools/nbtscan.html
0
 
Seaton007Commented:
You can use this script to retrieve specific events from the Event Log:
http://www.activexperts.com/activmonitor/windowsmanagement/adminscripts/logs/eventlogs/#RetrEventsFromEventLog.htm

Here is some information on the Event ID's for logon/logoff events and tracking these activities:
http://blogs.msdn.com/b/ericfitz/archive/2008/08/20/tracking-user-logon-activity-using-logon-events.aspx
0
 
mlongohCommented:
Do you want to see who authenticated to active directory?  For example to find the users that haven't logged on in the past 90 days?  If so, then last logon is an attribute that can be checked (there's actually 2 attributes related, but only 1 gets replicated, the other is stored on each DC).

Or, are you trying to determine who connected to a specific server?
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
jamesmetcalf74Author Commented:
im just trying to find out if someone came into work and logged into their computer over the weekend.
i dont want to go onto their machine and look at the event logs.
i need to go to the event viewer on the domain controller
0
 
mlongohCommented:
Well if you want to verify when the user logged on last, here's a vbscript that will report the most recent lastlogontimestamp.  This should give you what you want without having to review any event logs.

You run it like this (from a CMD window - it's a command line script):
cscript LastUserLogon.vbs domainname\UserID

It uses the NT style domain name and userID.

Save the attached code as LastUserLogon.vbs.  You should also be a domain admin when you run this.

On Error Resume Next
Const ADS_UF_ACCOUNTDISABLE = 2

strPath = left(wscript.ScriptFullName, len(wscript.ScriptFullName) - len(wscript.ScriptName))

FullSamName = Split(wscript.arguments(0), "\")
strDom = FullSamName(0)

LogFile="LastUserLogon.log"

Const ADS_SCOPE_SUBTREE = 2

strNTName = wscript.arguments(0)
Const ADS_NAME_INITTYPE_GC = 3
Const ADS_NAME_TYPE_NT4 = 3
Const ADS_NAME_TYPE_1779 = 1
Set objTrans = CreateObject("NameTranslate")
objTrans.Init ADS_NAME_INITTYPE_GC, ""
objTrans.Set ADS_NAME_TYPE_NT4, strNTName
' Use the Get method to retrieve the RPC 1779 Distinguished Name.
strUserDN = objTrans.Get(ADS_NAME_TYPE_1779)
strUserDN = Replace(strUserDN, "/", "\/")

wscript.echo strUserDN
LastLog = #1/1/1601#

'Get TimeZone offsets
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colTimeZones = objWMIService.ExecQuery("Select * From Win32_TimeZone")
For Each objTimeZone in colTimeZones
	intTimeZoneBias = objTimeZone.Bias
	intDaylightBias = objTimeZone.DaylightBias
Next

Set objRootDSE = GetObject("LDAP://RootDSE")
strConfigurationNC = objRootDSE.Get("configurationNamingContext")
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand =   CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection

objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE 

objCommand.CommandText = _
	"SELECT ADsPath FROM 'LDAP://" & strConfigurationNC & "' WHERE objectClass='nTDSDSA'"  
Set objRecordSet = objCommand.Execute

objRecordSet.MoveFirst

'Get lastlogon from each DC and find newest
Do Until objRecordSet.EOF
	Set objParent = GetObject(GetObject(objRecordset.Fields("ADsPath")).Parent)
	strDCName = objParent.dnsHostName

	Set objUser = GetObject _
		("LDAP://" & strDCName & "/" & strUserDN)

	Set objLastLogon = objUser.Get("lastLogon")
	Set objLastLogonTS = objUser.Get("lastLogonTimestamp")

	intLastLogonTime = objLastLogon.HighPart * (2^32) + objLastLogon.LowPart 
	intLastLogonTime = intLastLogonTime / (60 * 10000000)
	intLastLogonTime = intLastLogonTime / 1440

	dtmLastLogon = intLastLogonTime + #1/1/1601#
	dtmLastLogon = DateAdd("n", intTimeZoneBias, dtmLastLogon)
	dtmLastLogon = DateAdd("n", intDaylightBias, dtmLastLogon)

	intLastLogonTimeTS = objLastLogonTS.HighPart * (2^32) + objLastLogonTS.LowPart 
	intLastLogonTimeTS = intLastLogonTimeTS / (60 * 10000000)
	intLastLogonTimeTS = intLastLogonTimeTS / 1440

	dtmLastLogonTS = intLastLogonTimeTS + #1/1/1601#
	dtmLastLogonTS = DateAdd("n", intTimeZoneBias, dtmLastLogonTS)
	dtmLastLogonTS = DateAdd("n", intDaylightBias, dtmLastLogonTS)
		
	wscript.echo "  " & strDCName & " reports " & dtmLastLogon & " as last logon"
	wscript.echo "  " & strDCName & " reports " & dtmLastLogonTS & " as last logonTimeStamp"
	
	If dtmLastLogonTS > dtmLastLogon Then dtmLastLogon = dtmLastLogonTS

	If dtmLastLogon > LastLog Then
		LastLog = dtmLastLogon
	End If
		
	objRecordSet.MoveNext
Loop
wscript.echo "Final choice = " & LastLog


'*************************************************************************
'*************************************************************************


If Instr(LastLog, " ") > 0 Then
	LLArray=Split(LastLog, " ")
	LastLog=LLArray(0)
End If

AcctStatus1=objUser.userAccountControl
If AcctStatus1 AND ADS_UF_ACCOUNTDISABLE Then
	AccountStatus = "disabled"
Else
	AccountStatus = "enabled"
End If

LogInfo=FullSamName(1) & ";" & strUserDN & ";" & LastLog & ";" & AccountStatus
wscript.echo LogInfo
z=LogMe(LogInfo, LogFile)



'************************************************************************

wscript.quit

'Functions
Function LogMe(LogInfo, LogFile)
	Set mdlfso = CreateObject("Scripting.FileSystemObject")
	Set mtf = mdlfso.OpenTextFile(LogFile, 8, True)
	mtf.WriteLine (LogInfo)
	mtf.Close
End Function

Open in new window

0
 
mlongohCommented:
FYI: That script also generates a text log file call LastUserLogon.log.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now