Finding the list of users and machines in Active Directory

Craig Paulsen
Craig Paulsen used Ask the Experts™
on
Hi guys, on a server 2012 standard DC, where can I locate the LoginLog$ directory that shows the list of users and machines with the login times etc.
It's enabled, just don't know where the file is located
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
yo_beeDirector of Information Technology

Commented:
I personally never heard of LoginLog$ for keeping track of User and Computer.  The only spot I know where logins are recorded are in the Event Logs on the DC.  If you have the proper auditing enable on the DC (which should be by default)  then the login events are recorded in the event logs, but they are extremely hard to read without some parsing tools.


Here is a powershell script i found in a search https://gallery.technet.microsoft.com/scriptcenter/Get-All-AD-Users-Logon-9e721a89

The issue is that this data is not really stored together.  The script aggregates the security event logs and gather specific event and the details.
from there is looks like it does a DNS lookup for the computer name.  

You would need to create a logon script that will right this to a file.  Its not a difficult script to write if you want to give scripting a stab.
Lee W, MVPTechnology and Business Process Advisor
Most Valuable Expert 2013

Commented:
Agreed - never heard of loginlog$ and a google search suggests no one else has either.  It could be something someone in your organization created to record the logins (The $ suggests it's a hidden share) but it's not something other people are going to know about without more information.
Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018

Commented:
Probably something like this
echo on %date% at %time% user %username% logged into %computername% on %console% authorized by %logonserver%  >>\\someserver\loginlog$\login_logout.txt

Open in new window

Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

yo_beeDirector of Information Technology

Commented:
@Shaun you have heard of this?
yo_beeDirector of Information Technology

Commented:
@Craig

Where did you hear about this and if you have any links I think we are all curious. ?
Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018

Commented:
Taking a stab at it
Craig PaulsenSenior Systems Engineer

Author

Commented:
thanks all for your responses, and apologies for only getting back to you all now,
Guess my explanation of what I'm wanting is poor, compared the other environment (User AD profile properties) and can confirm they have a login script configured that I suspect collects this info and stores it centrally "somewhere"
in turn, I would usually browse to this hidden share, search for a particular computer name, and it will display info like whose logged on etc, basically I just want the ability to input a computer name and for it display information about whose logged on, OS details, Serial no#,last boot time, system memory etc, user profile drive mapping. etc.......
Director of Information Technology
Commented:
You will need to use WMI to do majority of the values you are looking for.  Here is the script that I use and I have it write to and MSSQL DB.

Here is an example of what I use:
'************************************************************************************
'*         XXXX Logon Script to collect Basic details								*
'*         Create by XXXXXXXXXXXXX XXXXXXXXXXXXX on 2/24/2010									*	
'*         Updated by XXXXXXXXXXXXX XXXXXXXXXXXXX on 4/6/2014									*
'*         recent updates: Collecting IP and MAC address     						*
'************************************************************************************

	on error resume next
	Const adOpenStatic = 3
	Const adLockOptimistic = 3
	Const adUseClient = 3
	' Set the WMI Time,ADODB Connection and Recordset Objects
	Set objSWbemDateTime = CreateObject("WbemScripting.SWbemDateTime")
	Set objConnection = CreateObject("ADODB.Connection")
	Set objRecordset = CreateObject("ADODB.Recordset")

	Dim StrComputerName, StrUser, strManufacturer, StrModel, StrSN, StrIP,StrMAC, IP

'************************************************************************************
'Data Collection																	*
'************************************************************************************
	'sets the WMI Object for all upcoming collections
	'This Object can reused for any Collection connection required
'************************************************************************************
	set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\." _
								&"\root\cimv2")
'************************************************************************************
	'Collects the basic Computer System information 
	'by connecting to the Win32_ComputerSystem Class
	'UserName,ComputerName of the User, Make and Model of the computer
'************************************************************************************
	 Set colSystems = objWMIService.ExecQuery("SELECT * FROM Win32_ComputerSystem")
		For Each objSystem In colSystems
			strComputerName = objSystem.name
			strModel = objsystem.Model
			strManufacturer = objsystem.Manufacturer
			If Not (ISNULL(objsystem.UserName)) then 
				strUser = Split(objsystem.UserName,"\")
				strUser(1) = UCase(Left(strUser(1),1))_
				& Trim(Mid(strUser(1),2,20))
			else
				Struser = split("\RDP-Session","\")
				strUser(1) = UCase(Left(strUser(1),1))_
				& Trim(Mid(strUser(1),2,20))
			End If
		next
'************************************************************************************
	'Collects the Computer's Serial Number by connecting to the Win32_Bios Class
'************************************************************************************
	Set colSMBIOS = objWMIService.ExecQuery _
		("Select * from Win32_bios")
	For Each objSMBIOS in colSMBIOS
		strSN = objSMBIOS.SerialNumber
    Next
'************************************************************************************
	'Collects the Computers IP and MAC address by connecting to the 
	'Win32_NetworkAdapterConfiguration.  
	'If the IP-Address does not have 192. in the beginning then 
	'nothing is recorded for the item 
	'If the item has 192. in the beginning then the item is recorded
	'as well as the MAC
'************************************************************************************
	Set ColIP =objWMIService.ExecQuery("Select * from Win32_NetworkAdapterConfiguration WHERE IPEnabled = 'True'")
			
		For Each IPConfig in Colip
				If Not IsNull(IPConfig.IPAddress)  Then 
					For i = lbound(IPConfig.IPAddress) to ubound(IPConfig.IPAddress) 
							IP = IPConfig.IPAddress(i)
						
					If instr(ip,"192.")  then
						If i = 0 then
							 
							Strip = ip
							StrMAC = IPConfig.MacAddress 
							
						else
							Strip = Strip & ", " & ip 
								If StrMAC <> IPConfig.MacAddress then
									StrMac = StrMac & ", " & IPConfig.MacAddress
								end if		
						End if
					end if
					next
				End If
		Next

			
	'
'************************************************************************************
	'This will collect the logon session time
	'It is not needed for this script, but it was left here for
	'future possibilities. 
	'It was originally put in the script to create a unique ID for the 
	'for the record being created by creating a string yyyymmddhhMMSS
'************************************************************************************
	Set ColLogon = objwmiservice.execquery("Select * from Win32_LogonSession Where LogonType = 2")

		For Each objLogon in ColLogon
			strDate = WMIDateStringToDate(objlogon.StartTime)
			strTime = WMIDateStringTotime(objlogon.StartTime)
			objSWbemDateTime.value = Objlogon.starttime
			vtdLogonTime = objSWbemDateTime.GetVarDate(true)
			StrDateDiff = DATEDIFF("s", vtdLogonTime ,now)
			
		Next

	StrID= year(vtdLogonTime) & month(vtdLogonTime) & day(vtdLogonTime) & Hour(vtdLogonTime) & Minute(vtdLogonTime) & Second(vtdLogonTime)


'************************************************************************************
'*			            Connection to the Datadase									*
'************************************************************************************
'************************************************************************************
	'Creates the ADODB Connection string 
'************************************************************************************
	strConnect = "Provider = SQLOLEDB.1;Data Source=XXXXSQL04;Initial Catalog=Inventory;User ID='sa';Password='***********'"
'************************************************************************************
	'Connects to the Database using the ADODB.connection object created earlier
'************************************************************************************	
	objConnection.Open strConnect
'************************************************************************************
	'This is the part the records the new records to the database
	'There is an IF Than Statement that is currently still in the 
	'script to challenge the computer name and if it does not match
	'XXXXcitrix the script continues to record else the script is 
	'ended.
	'At the end of the script the recordset and connection is
	'closed
'************************************************************************************
		

	objRecordset.CursorLocation = adUseClient
	objRecordset.Open "SELECT * FROM Table1_1" , objConnection, _
		adOpenStatic, adLockOptimistic
		
		objRecordset.AddNew
		objRecordset("ID") = strID
		objRecordset("ComputerName")= StrComputerName
		objRecordset("UserName")= StrUser(1)
		objRecordset("ComputerManufacturer")= strManufacturer
		objRecordset("ComputerModel")= strModel
		objRecordset("ComputerSN")= strSN
		objrecordset("Recorddate") = now
		objrecordset("IPAddress") = StrIP
		Objrecordset("macaddress") = StrMac
		
		objRecordset.Update
		
		
	objRecordset.Close
	objConnection.Close
'************************************************************************************

'************************************************************************************
'*								Function											*
'************************************************************************************
	'This function is to convert WMI DateTime to a standard readable US Date format
	' mm/dd/yyyy
	Function WMIDateStringToDate(dtmInstallDate)

	 WMIDateStringToDate = CDate(Mid(dtmInstallDate, 5, 2) & "/" & _
	 Mid(dtmInstallDate, 7, 2) & "/" & Left(dtmInstallDate, 4))
	End Function
'************************************************************************************
	'This function is to convert WMI DateTime to a standard readable US Time Format
	' hh:MM:ss
'************************************************************************************
	Function WMIDateStringTotime(dtmInstallDate)

	 WMIDateStringTotime = CDate(Mid(dtmInstallDate, 9, 2) & ":" & _
	 Mid(dtmInstallDate, 11, 2) & ":" & Mid(dtmInstallDate,13, 2))

	End Function
'************************************************************************************

Open in new window

Craig PaulsenSenior Systems Engineer

Author

Commented:
thanks all again, you were all right, this is something set up via a login script awhile ago by the previous admin.
yo_beeDirector of Information Technology

Commented:
Craig,

Did you use my solution?  If not I would see if you can get the points spread evenly across all the contributors?
Craig PaulsenSenior Systems Engineer

Author

Commented:
no I didn't user your script, I need to adapt it at some point to work in our environment, might look at this in the weeks to come. No pressing need for it just yet.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial