Auditing Locked accounts on machines

WellingtonIS
WellingtonIS used Ask the Experts™
on
Is there any command or free software that I can use to run a quick audit to find out if a user is logged into a machine that they are not supposed to be?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
May be this is a solution for you:
https://support.microsoft.com/en-gb/help/824209/how-to-use-the-eventcombmt-utility-to-search-event-logs-for-account-lockouts

Please dont go with the titile "eventcombMT" is the file that you need to run with the event ID - this can produce an output in csv format as well.

Cheers,
Prashant.
Distinguished Expert 2018

Commented:
The question title doesn't match your question body. Please explain that, so we know what you really need.
Also tell me if you let anyone logon anywhere - because you might not know that you can restrict that.

Author

Commented:
OK sorry for the confusion... We have single sign on one most of our machines.  And we have auto logins too. however, sometimes it doesn't work and I have users logging into a machine with their own user names and passwords then the imprivata screen comes up and they login in again. So they leave and dont' log out. the next person comes along and the 1st person is still logged in to the computer and imprivata has another user logging in.  the 1st user keeps getting locked out and I need a way to find out what machine that user is logged into.  Does that make more sense?
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018

Commented:
Can you not log off inactive sessions via GPO or Logoff ScreenSaver https://www.autoitscript.com/site/autoit-tools/logoff-screensaver/

Author

Commented:
Thanks for that info but that's not what I'm needing to do.  I have screensaver already that lock the machines after 15 minutes.  I'm trying to find out if there's a way I can audit to see where the user is logged in.
Depends what you would like to choose - there are different options available:


Option 1: Windows Sysinternal option :

Here you need to get the tool PSLoggedon copied (after downloading from Mircrosoft site) on the machine from where you want to run - then create a batch file including list of the comupters in your network:

Save file like this with extension .bat or .cmd e.g. : DiscoveryOutput.bat
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
#File Content:::::
PSLOGGEDON \\COmputername1 -l >>LoggedonUserList.txt
PSLOGGEDON \\COmputername2 -l >>LoggedonUserList.txt

#now relace and add all computer names Computername1, Computer2 etc (all computer names  you have in your network)

PSLOGGEDON \\COmputernameN -l >>LoggedonUserList.txt
#end of file
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
and run this file, your output will be saved under LoggedonUserList.txt file and check the file for details.

Option 2:  Use UPing.exe

Create MS SQL database "uping" on you sql server and execute create.sql script to create "MainData" table
Edit file "uping.exe.config":

<add name="uping.My.MySettings.upingConnectionString" connectionString="Data Source=SQL_SERVER_ADDRESS;Initial Catalog=uping;Integrated Security=True" providerName="System.Data.SqlClient"/>

replace SQL_SERVER_ADDRESS with th name or ip of your sql server

Put uping.exe (uping.exe.cofig must e placed to the same folder) to startup folder or startup script (may be using GPO) without any parameters.

When user logs on, Uping will collect information to MainData table of UPING database.
After that you can query database running uping.exe with different parameters:

C:\PsTools>uping /?

UPING usage:
uping.exe [login|-l [options]]
Examples:
uping.exe - to register user in database
uping.exe mike - to search information about user Mike
uping.exe mike -p - to search information about user Mike with ip ping
uping.exe -c comp - to search information about host
uping.exe -c comp -p - to search information about host with ip ping
uping.exe -i ip - to search information about IP
uping.exe -i ip -p - to search information about IP with ip ping
uping.exe -l|-a|-all - to search information about all users
with possibility to order information by:
UserName, HostName, HostIP, LogonDateTime, ago

Hope this helps.

Regards,
Prashant.

Author

Commented:
Thanks. I'll work with this and let you know.
Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018

Commented:
Best solution

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial