Solved

How to list on which server domain administrator account is currently logged on ?

Posted on 2014-12-16
12
96 Views
Last Modified: 2014-12-28
Hi All,

From the list of server name in .TXT file or specific OU, how can I verify of produce the list of where the domain\administrator account is currently used or logged on ?

Any help would be greatly appreciated.

THanks
0
Comment
  • 5
  • 4
  • 3
12 Comments
 
LVL 39

Assisted Solution

by:footech
footech earned 334 total points
ID: 40502351
Check out this previous asked question for some samples.
http://www.experts-exchange.com/Programming/Languages/Scripting/Powershell/Q_28233927.html

There are also some scripts on the MS Technet Script Repository for this.

There's a variety of ways to start to gather the information, from WMI to command line utilities like quser, qwinsta, SysInternals' PsLoggedOn, etc..  You may need to try out a few to see what works for you and your environment.
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 40502367
Thanks man, which one that you recommends working ?
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40502828
What do you mean by "used"? Logged on is understood, but used?
And what is this info needed for?
0
 
LVL 39

Expert Comment

by:footech
ID: 40503504
Try all of them and see which you like better.  They both work (assuming permissions, etc. are in place).
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 40503604
@McKnife: yes, used means logged on, so in thiscase the script can see where the domain\administrator account is currently used.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40503769
The tools have been mentioned. But what would you need that info for, if I may ask - why would you like to know "where the domain admin is logged in"?
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 40503775
because I want to know where the DOMAIN\Administrator is being used on which servers by my team.
0
 
LVL 39

Accepted Solution

by:
footech earned 334 total points
ID: 40503793
Please don't post in the other question - it has been closed for some time.  I'd even suggest it's best to delete that comment.

However, I'm sorry, I didn't remember that there were any issues with that code from the other user.  I made a correction to it but I'm finding that it really doesn't give the information you want.

Here's the code I posted in the other thread with some slight modifications.  Just tested again and it's working.
*Side note - I typically don't post such a complete script (in fact, I've stripped a number of things out from the script I use/wrote at work), but since I'd already posted it I made an exception here.
$computers = Get-Content "ComputerList.txt"
$user = "administrator"

# Provide complete path to SysInternals' PsLoggedOn.exe utility
$UtilPath = ".\PsLoggedOn.exe"

$results = @()
$i = 0
[bool]$regStart = $false
[bool]$regDisabled = $false
foreach ($computer in $computers)
{
    $i++
    Write-Progress -activity "Progress Indicator" -status "Checking Remote Registy Service" -currentOperation "Checking computer ""$computer"" ($i of $($computers.count))" -percentComplete (($i/$computers.count) * 100)
    # Check if the Remote Registry service is stopped.  If so, we need to start it (PSLoggedOn.exe needs it to be running).
    $regSvcStatus = Get-WmiObject Win32_Service -computername $computer -filter "name = 'RemoteRegistry'" -Property State,StartMode -ErrorAction SilentlyContinue
    If ($regSvcStatus.State -eq "Stopped")
    {
        If ($regSvcStatus.StartMode -eq "Manual")
        {
            & sc.exe \\$computer start RemoteRegistry | Out-Null
            [bool]$regStart = $true
            #Start-Sleep -Seconds 2
        }
        ElseIf ($regSvcStatus.StartMode -eq "Disabled")
        {
            & sc.exe \\$computer config RemoteRegistry start= demand | Out-Null
            & sc.exe \\$computer start RemoteRegistry | Out-Null
            [bool]$regStart = $true
            [bool]$regDisabled = $true
            #Start-Sleep -Seconds 1
        }
    }
    ElseIf ( !($regSvcStatus) )
    {
        Write-Output "Couldn't contact WMI service on $computer"
        continue
    }
        
    Write-Progress -activity "Progress Indicator" -status "Querying Logged On Users" -currentOperation "Checking computer ""$computer"" ($i of $($computers.count))" -percentComplete (($i/$computers.count) * 100)
        
    # Make the query and parse the text output
    $results += Invoke-Expression "$UtilPath -x -l \\$computer 2>&1" |
        Where-Object {$_ -match '^\s{2,}((?<domain>\w+)\\(?<user>\S+))|(?<user>\S+)'} |
        Where {$matches.user -eq $user} |
        ForEach `
        {
            Write-Output "$($matches.user) is logged on to $computer"
        }
    # If we start the Remote Registry service earlier, return it to the stopped state.
    If ($regStart -eq $true)
    {
        Write-Progress -activity "Progress Indicator" -status "Resetting Remote Registry Service" -currentOperation "Checking computer ""$computer"" ($i of $($computers.count))" -percentComplete (($i/$computers.count) * 100)
        & sc.exe \\$computer stop RemoteRegistry | Out-Null
        [bool]$regStart = $false
    }
    If ($regDisabled -eq $true)
    {
        Write-Progress -activity "Progress Indicator" -status "Disabling Remote Registry Service" -currentOperation "Checking computer ""$computer"" ($i of $($computers.count))" -percentComplete (($i/$computers.count) * 100)
        & sc.exe \\$computer config RemoteRegistry start= disabled | Out-Null
        [bool]$regDisabled = $false
    }
}
$results

Open in new window

0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 166 total points
ID: 40503815
Ok, to me it is still unclear why - you only repeat that you want to know, but not why. I hoped to be in a better position to help you if I knew why you need this info. Anyway, have a look at this freeware: http://www.cjwdev.com/Software/ServiceCredMan/Info.html
-> Easily track down all of the Windows services and scheduled tasks using a specific account
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 40503821
@McKnife: because my security team wants to split the password for the administrator and then rename the account, so in this case i need to know where it is currently logged on and then I need to log them off if it is still logged on.

@footech: thanks mate, I'll try that script and let you know soon.
0
 
LVL 39

Expert Comment

by:footech
ID: 40503835
@McKnife - I hadn't come across that utility before.  I think I'll have to check it out the next time I'm changing service account credentials.  I've seen some of his tools before, but never used them.
0
 
LVL 7

Author Closing Comment

by:Senior IT System Engineer
ID: 40521373
Thanks guys !
0

Join & Write a Comment

I thought I'd write this up for anyone who has a request to create an anonymous whistle-blower-type submission form created using SharePoint 2010 (this would probably work the same for 2013). It's not 100% fool-proof but it's as close as you can get…
Create and license users in Office 365 in bulk based on a CSV file. A step-by-step guide with PowerShell script examples.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now