Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 104
  • Last Modified:

How to list on which server domain administrator account is currently logged on ?

Hi All,

From the list of server name in .TXT file or specific OU, how can I verify of produce the list of where the domain\administrator account is currently used or logged on ?

Any help would be greatly appreciated.

THanks
0
Senior IT System Engineer
Asked:
Senior IT System Engineer
  • 5
  • 4
  • 3
3 Solutions
 
footechCommented:
Check out this previous asked question for some samples.
http://www.experts-exchange.com/Programming/Languages/Scripting/Powershell/Q_28233927.html

There are also some scripts on the MS Technet Script Repository for this.

There's a variety of ways to start to gather the information, from WMI to command line utilities like quser, qwinsta, SysInternals' PsLoggedOn, etc..  You may need to try out a few to see what works for you and your environment.
0
 
Senior IT System EngineerIT ProfessionalAuthor Commented:
Thanks man, which one that you recommends working ?
0
 
McKnifeCommented:
What do you mean by "used"? Logged on is understood, but used?
And what is this info needed for?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
footechCommented:
Try all of them and see which you like better.  They both work (assuming permissions, etc. are in place).
0
 
Senior IT System EngineerIT ProfessionalAuthor Commented:
@McKnife: yes, used means logged on, so in thiscase the script can see where the domain\administrator account is currently used.
0
 
McKnifeCommented:
The tools have been mentioned. But what would you need that info for, if I may ask - why would you like to know "where the domain admin is logged in"?
0
 
Senior IT System EngineerIT ProfessionalAuthor Commented:
because I want to know where the DOMAIN\Administrator is being used on which servers by my team.
0
 
footechCommented:
Please don't post in the other question - it has been closed for some time.  I'd even suggest it's best to delete that comment.

However, I'm sorry, I didn't remember that there were any issues with that code from the other user.  I made a correction to it but I'm finding that it really doesn't give the information you want.

Here's the code I posted in the other thread with some slight modifications.  Just tested again and it's working.
*Side note - I typically don't post such a complete script (in fact, I've stripped a number of things out from the script I use/wrote at work), but since I'd already posted it I made an exception here.
$computers = Get-Content "ComputerList.txt"
$user = "administrator"

# Provide complete path to SysInternals' PsLoggedOn.exe utility
$UtilPath = ".\PsLoggedOn.exe"

$results = @()
$i = 0
[bool]$regStart = $false
[bool]$regDisabled = $false
foreach ($computer in $computers)
{
    $i++
    Write-Progress -activity "Progress Indicator" -status "Checking Remote Registy Service" -currentOperation "Checking computer ""$computer"" ($i of $($computers.count))" -percentComplete (($i/$computers.count) * 100)
    # Check if the Remote Registry service is stopped.  If so, we need to start it (PSLoggedOn.exe needs it to be running).
    $regSvcStatus = Get-WmiObject Win32_Service -computername $computer -filter "name = 'RemoteRegistry'" -Property State,StartMode -ErrorAction SilentlyContinue
    If ($regSvcStatus.State -eq "Stopped")
    {
        If ($regSvcStatus.StartMode -eq "Manual")
        {
            & sc.exe \\$computer start RemoteRegistry | Out-Null
            [bool]$regStart = $true
            #Start-Sleep -Seconds 2
        }
        ElseIf ($regSvcStatus.StartMode -eq "Disabled")
        {
            & sc.exe \\$computer config RemoteRegistry start= demand | Out-Null
            & sc.exe \\$computer start RemoteRegistry | Out-Null
            [bool]$regStart = $true
            [bool]$regDisabled = $true
            #Start-Sleep -Seconds 1
        }
    }
    ElseIf ( !($regSvcStatus) )
    {
        Write-Output "Couldn't contact WMI service on $computer"
        continue
    }
        
    Write-Progress -activity "Progress Indicator" -status "Querying Logged On Users" -currentOperation "Checking computer ""$computer"" ($i of $($computers.count))" -percentComplete (($i/$computers.count) * 100)
        
    # Make the query and parse the text output
    $results += Invoke-Expression "$UtilPath -x -l \\$computer 2>&1" |
        Where-Object {$_ -match '^\s{2,}((?<domain>\w+)\\(?<user>\S+))|(?<user>\S+)'} |
        Where {$matches.user -eq $user} |
        ForEach `
        {
            Write-Output "$($matches.user) is logged on to $computer"
        }
    # If we start the Remote Registry service earlier, return it to the stopped state.
    If ($regStart -eq $true)
    {
        Write-Progress -activity "Progress Indicator" -status "Resetting Remote Registry Service" -currentOperation "Checking computer ""$computer"" ($i of $($computers.count))" -percentComplete (($i/$computers.count) * 100)
        & sc.exe \\$computer stop RemoteRegistry | Out-Null
        [bool]$regStart = $false
    }
    If ($regDisabled -eq $true)
    {
        Write-Progress -activity "Progress Indicator" -status "Disabling Remote Registry Service" -currentOperation "Checking computer ""$computer"" ($i of $($computers.count))" -percentComplete (($i/$computers.count) * 100)
        & sc.exe \\$computer config RemoteRegistry start= disabled | Out-Null
        [bool]$regDisabled = $false
    }
}
$results

Open in new window

0
 
McKnifeCommented:
Ok, to me it is still unclear why - you only repeat that you want to know, but not why. I hoped to be in a better position to help you if I knew why you need this info. Anyway, have a look at this freeware: http://www.cjwdev.com/Software/ServiceCredMan/Info.html
-> Easily track down all of the Windows services and scheduled tasks using a specific account
0
 
Senior IT System EngineerIT ProfessionalAuthor Commented:
@McKnife: because my security team wants to split the password for the administrator and then rename the account, so in this case i need to know where it is currently logged on and then I need to log them off if it is still logged on.

@footech: thanks mate, I'll try that script and let you know soon.
0
 
footechCommented:
@McKnife - I hadn't come across that utility before.  I think I'll have to check it out the next time I'm changing service account credentials.  I've seen some of his tools before, but never used them.
0
 
Senior IT System EngineerIT ProfessionalAuthor Commented:
Thanks guys !
0

Featured Post

WatchGuard Case Study: NCR

With business operations for thousands of customers largely depending on the internal systems they support, NCR can’t afford to waste time or money on security products that are anything less than exceptional. That’s why they chose WatchGuard.

  • 5
  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now