Solved

Script to determine computername of user connected to share

Posted on 2014-10-19
4
239 Views
Last Modified: 2015-05-29
Does any know how I can get the computername of a user connected to a file share?

I started using FSRM to monitor for files that are created when a crypto virus hits. We have had several in the past few weeks.

Currently FSRM sends an email to me and logs an event when ever decrypt_instructions.txt is added to a folder.
 This works pretty good so long as I can get to the user fast enough and have his machine shutdown before it gets too far
 I would like to be able to run a scheduled task on my file servers based on this event id which will shutdown the computer.
 The event log only shows the user and not computer so the script would have to I guess query the active sessions by username , then determine the computername and run the shutdown command against that computer.


Any and all help would be greatly appreciated

WP
0
Comment
Question by:smithandandersen
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 29

Expert Comment

by:becraig
ID: 40391167
0
 
LVL 82

Accepted Solution

by:
David Johnson, CD, MVP earned 500 total points
ID: 40391236
download the full script from the download link as the posted text has an error
get-shareusers.ps1
function get-ShareUsers
{
<#
.SYNOPSIS
   Determine which shares are actively being used by employees.
.DESCRIPTION
   This provides a live time view of shares currently being accessed by employees.  The output can be to the Powershell screen, the out-gridview window, a CSV file, or all of the above.
   
.PARAMETER <paramName>
   ServerName - Used to determine the server to scan.
   GridView - Enables the output to the gridview.
   Export - Enables the output to a CSV file using the export-csv cmdlet.
.EXAMPLE
   <An example of using the script>
#>
[CmdletBinding()]
Param
	(
		#First parameter
    	[parameter(Mandatory=$true, #Makes this a required parameter. The user will be prompted for this item if it is not provided.
    	ValueFromPipeline=$true)] #Allows the server name to be  "Piped" into the function.
    	[String[]] $ServerName, #The name against which to run the query.
		#Second parameter - Sends the output to the out-gridview display.
		[switch] $Gridview, 
		#Third parameter - Sends the output to a CSV file for later used.
		[switch] $Export
  ) 
  
	#Default output to the Powershell interface.
	Get-WmiObject Win32_ServerConnection -ComputerName $ServerName | select  username, sharename, computername | sort sharename | Format-Table -AutoSize
	
	if ($Gridview -eq $true) 
	{
		Get-WmiObject Win32_ServerConnection -ComputerName $ServerName | select  username, sharename, computername | sort sharename | Out-GridView -Title "$computername Share Users"
	}

	if ($Export -eq $true) 
	{
		[string]$filename = $ServerName + "_Share_Users.csv"
		Get-WmiObject Win32_ServerConnection -ComputerName $ServerName | select  username, sharename, computername | sort sharename | Export-Csv -Path	$filename -NoTypeInformation	
	}
}

Open in new window

0
 
LVL 70

Expert Comment

by:Qlemo
ID: 40459442
Not the best piece of software. Much ado about a simple task, nonsense conditions like "$var -eq $true", and doing stuff again for each formatting option. The core function is simple:
Get-WmiObject Win32_ServerConnection -ComputerName $ServerName |
  select  username, sharename, computername |
  sort sharename |
  Format-Table -AutoSize

Open in new window

In your case all you want to know is the PC for a user, so a more direct approach is
$PC = Get-WmiObject Win32_ServerConnection -ComputerName $ServerName | ? { $_Username -eq $user } | Select -First 1 -Expand ComputerName

Open in new window

where $user is the extracted user from EventLog. All you have to do then is to shutdown that machine forcefully, like with
shutdown /m $PC /f /t 15 /s /c "Cryptolocker found! Machine will be shut down now!"

Open in new window

0
 
LVL 70

Expert Comment

by:Qlemo
ID: 40803112
I'm sorry, but I don't understand
a) why it took you so long to accept an answer
b) your choice to accept http:#a40391236

Are you into solutions obfuscating your task at hand?
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this post we will be converting StringData saved within a text file into a hash table. This can be further used in a PowerShell script for replacing settings that are dynamic in nature from environment to environment.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question