Solved

Script to determine computername of user connected to share

Posted on 2014-10-19
4
199 Views
Last Modified: 2015-05-29
Does any know how I can get the computername of a user connected to a file share?

I started using FSRM to monitor for files that are created when a crypto virus hits. We have had several in the past few weeks.

Currently FSRM sends an email to me and logs an event when ever decrypt_instructions.txt is added to a folder.
 This works pretty good so long as I can get to the user fast enough and have his machine shutdown before it gets too far
 I would like to be able to run a scheduled task on my file servers based on this event id which will shutdown the computer.
 The event log only shows the user and not computer so the script would have to I guess query the active sessions by username , then determine the computername and run the shutdown command against that computer.


Any and all help would be greatly appreciated

WP
0
Comment
Question by:smithandandersen
  • 2
4 Comments
 
LVL 29

Expert Comment

by:becraig
ID: 40391167
0
 
LVL 79

Accepted Solution

by:
David Johnson, CD, MVP earned 500 total points
ID: 40391236
download the full script from the download link as the posted text has an error
get-shareusers.ps1
function get-ShareUsers
{
<#
.SYNOPSIS
   Determine which shares are actively being used by employees.
.DESCRIPTION
   This provides a live time view of shares currently being accessed by employees.  The output can be to the Powershell screen, the out-gridview window, a CSV file, or all of the above.
   
.PARAMETER <paramName>
   ServerName - Used to determine the server to scan.
   GridView - Enables the output to the gridview.
   Export - Enables the output to a CSV file using the export-csv cmdlet.
.EXAMPLE
   <An example of using the script>
#>
[CmdletBinding()]
Param
	(
		#First parameter
    	[parameter(Mandatory=$true, #Makes this a required parameter. The user will be prompted for this item if it is not provided.
    	ValueFromPipeline=$true)] #Allows the server name to be  "Piped" into the function.
    	[String[]] $ServerName, #The name against which to run the query.
		#Second parameter - Sends the output to the out-gridview display.
		[switch] $Gridview, 
		#Third parameter - Sends the output to a CSV file for later used.
		[switch] $Export
  ) 
  
	#Default output to the Powershell interface.
	Get-WmiObject Win32_ServerConnection -ComputerName $ServerName | select  username, sharename, computername | sort sharename | Format-Table -AutoSize
	
	if ($Gridview -eq $true) 
	{
		Get-WmiObject Win32_ServerConnection -ComputerName $ServerName | select  username, sharename, computername | sort sharename | Out-GridView -Title "$computername Share Users"
	}

	if ($Export -eq $true) 
	{
		[string]$filename = $ServerName + "_Share_Users.csv"
		Get-WmiObject Win32_ServerConnection -ComputerName $ServerName | select  username, sharename, computername | sort sharename | Export-Csv -Path	$filename -NoTypeInformation	
	}
}

Open in new window

0
 
LVL 69

Expert Comment

by:Qlemo
ID: 40459442
Not the best piece of software. Much ado about a simple task, nonsense conditions like "$var -eq $true", and doing stuff again for each formatting option. The core function is simple:
Get-WmiObject Win32_ServerConnection -ComputerName $ServerName |
  select  username, sharename, computername |
  sort sharename |
  Format-Table -AutoSize

Open in new window

In your case all you want to know is the PC for a user, so a more direct approach is
$PC = Get-WmiObject Win32_ServerConnection -ComputerName $ServerName | ? { $_Username -eq $user } | Select -First 1 -Expand ComputerName

Open in new window

where $user is the extracted user from EventLog. All you have to do then is to shutdown that machine forcefully, like with
shutdown /m $PC /f /t 15 /s /c "Cryptolocker found! Machine will be shut down now!"

Open in new window

0
 
LVL 69

Expert Comment

by:Qlemo
ID: 40803112
I'm sorry, but I don't understand
a) why it took you so long to accept an answer
b) your choice to accept http:#a40391236

Are you into solutions obfuscating your task at hand?
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

"Migrate" an SMTP relay receive connector to a new server using info from an old server.
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question