Script to determine computername of user connected to share

Does any know how I can get the computername of a user connected to a file share?

I started using FSRM to monitor for files that are created when a crypto virus hits. We have had several in the past few weeks.

Currently FSRM sends an email to me and logs an event when ever decrypt_instructions.txt is added to a folder.
 This works pretty good so long as I can get to the user fast enough and have his machine shutdown before it gets too far
 I would like to be able to run a scheduled task on my file servers based on this event id which will shutdown the computer.
 The event log only shows the user and not computer so the script would have to I guess query the active sessions by username , then determine the computername and run the shutdown command against that computer.


Any and all help would be greatly appreciated

WP
LVL 6
Smith and AndersenAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

becraigCommented:
0
David Johnson, CD, MVPOwnerCommented:
download the full script from the download link as the posted text has an error
get-shareusers.ps1
function get-ShareUsers
{
<#
.SYNOPSIS
   Determine which shares are actively being used by employees.
.DESCRIPTION
   This provides a live time view of shares currently being accessed by employees.  The output can be to the Powershell screen, the out-gridview window, a CSV file, or all of the above.
   
.PARAMETER <paramName>
   ServerName - Used to determine the server to scan.
   GridView - Enables the output to the gridview.
   Export - Enables the output to a CSV file using the export-csv cmdlet.
.EXAMPLE
   <An example of using the script>
#>
[CmdletBinding()]
Param
	(
		#First parameter
    	[parameter(Mandatory=$true, #Makes this a required parameter. The user will be prompted for this item if it is not provided.
    	ValueFromPipeline=$true)] #Allows the server name to be  "Piped" into the function.
    	[String[]] $ServerName, #The name against which to run the query.
		#Second parameter - Sends the output to the out-gridview display.
		[switch] $Gridview, 
		#Third parameter - Sends the output to a CSV file for later used.
		[switch] $Export
  ) 
  
	#Default output to the Powershell interface.
	Get-WmiObject Win32_ServerConnection -ComputerName $ServerName | select  username, sharename, computername | sort sharename | Format-Table -AutoSize
	
	if ($Gridview -eq $true) 
	{
		Get-WmiObject Win32_ServerConnection -ComputerName $ServerName | select  username, sharename, computername | sort sharename | Out-GridView -Title "$computername Share Users"
	}

	if ($Export -eq $true) 
	{
		[string]$filename = $ServerName + "_Share_Users.csv"
		Get-WmiObject Win32_ServerConnection -ComputerName $ServerName | select  username, sharename, computername | sort sharename | Export-Csv -Path	$filename -NoTypeInformation	
	}
}

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
Not the best piece of software. Much ado about a simple task, nonsense conditions like "$var -eq $true", and doing stuff again for each formatting option. The core function is simple:
Get-WmiObject Win32_ServerConnection -ComputerName $ServerName |
  select  username, sharename, computername |
  sort sharename |
  Format-Table -AutoSize

Open in new window

In your case all you want to know is the PC for a user, so a more direct approach is
$PC = Get-WmiObject Win32_ServerConnection -ComputerName $ServerName | ? { $_Username -eq $user } | Select -First 1 -Expand ComputerName

Open in new window

where $user is the extracted user from EventLog. All you have to do then is to shutdown that machine forcefully, like with
shutdown /m $PC /f /t 15 /s /c "Cryptolocker found! Machine will be shut down now!"

Open in new window

0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
I'm sorry, but I don't understand
a) why it took you so long to accept an answer
b) your choice to accept http:#a40391236

Are you into solutions obfuscating your task at hand?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.