Auditing Locked accounts on machines

Is there any command or free software that I can use to run a quick audit to find out if a user is logged into a machine that they are not supposed to be?
WellingtonISAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Prashant ShrivastavaConsultantCommented:
May be this is a solution for you:
https://support.microsoft.com/en-gb/help/824209/how-to-use-the-eventcombmt-utility-to-search-event-logs-for-account-lockouts

Please dont go with the titile "eventcombMT" is the file that you need to run with the event ID - this can produce an output in csv format as well.

Cheers,
Prashant.
0
McKnifeCommented:
The question title doesn't match your question body. Please explain that, so we know what you really need.
Also tell me if you let anyone logon anywhere - because you might not know that you can restrict that.
0
WellingtonISAuthor Commented:
OK sorry for the confusion... We have single sign on one most of our machines.  And we have auto logins too. however, sometimes it doesn't work and I have users logging into a machine with their own user names and passwords then the imprivata screen comes up and they login in again. So they leave and dont' log out. the next person comes along and the 1st person is still logged in to the computer and imprivata has another user logging in.  the 1st user keeps getting locked out and I need a way to find out what machine that user is logged into.  Does that make more sense?
0
Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

Shaun VermaakTechnical Specialist/DeveloperCommented:
Can you not log off inactive sessions via GPO or Logoff ScreenSaver https://www.autoitscript.com/site/autoit-tools/logoff-screensaver/
0
WellingtonISAuthor Commented:
Thanks for that info but that's not what I'm needing to do.  I have screensaver already that lock the machines after 15 minutes.  I'm trying to find out if there's a way I can audit to see where the user is logged in.
0
Prashant ShrivastavaConsultantCommented:
Depends what you would like to choose - there are different options available:


Option 1: Windows Sysinternal option :

Here you need to get the tool PSLoggedon copied (after downloading from Mircrosoft site) on the machine from where you want to run - then create a batch file including list of the comupters in your network:

Save file like this with extension .bat or .cmd e.g. : DiscoveryOutput.bat
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
#File Content:::::
PSLOGGEDON \\COmputername1 -l >>LoggedonUserList.txt
PSLOGGEDON \\COmputername2 -l >>LoggedonUserList.txt

#now relace and add all computer names Computername1, Computer2 etc (all computer names  you have in your network)

PSLOGGEDON \\COmputernameN -l >>LoggedonUserList.txt
#end of file
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
and run this file, your output will be saved under LoggedonUserList.txt file and check the file for details.

Option 2:  Use UPing.exe

Create MS SQL database "uping" on you sql server and execute create.sql script to create "MainData" table
Edit file "uping.exe.config":

<add name="uping.My.MySettings.upingConnectionString" connectionString="Data Source=SQL_SERVER_ADDRESS;Initial Catalog=uping;Integrated Security=True" providerName="System.Data.SqlClient"/>

replace SQL_SERVER_ADDRESS with th name or ip of your sql server

Put uping.exe (uping.exe.cofig must e placed to the same folder) to startup folder or startup script (may be using GPO) without any parameters.

When user logs on, Uping will collect information to MainData table of UPING database.
After that you can query database running uping.exe with different parameters:

C:\PsTools>uping /?

UPING usage:
uping.exe [login|-l [options]]
Examples:
uping.exe - to register user in database
uping.exe mike - to search information about user Mike
uping.exe mike -p - to search information about user Mike with ip ping
uping.exe -c comp - to search information about host
uping.exe -c comp -p - to search information about host with ip ping
uping.exe -i ip - to search information about IP
uping.exe -i ip -p - to search information about IP with ip ping
uping.exe -l|-a|-all - to search information about all users
with possibility to order information by:
UserName, HostName, HostIP, LogonDateTime, ago

Hope this helps.

Regards,
Prashant.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
WellingtonISAuthor Commented:
Thanks. I'll work with this and let you know.
1
Shaun VermaakTechnical Specialist/DeveloperCommented:
Best solution
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.