9

Is there a tool or script or some other way of knowing what computer name a specific user is currently logged on to? Or even was logged on to?

Say the user "HRDrone" is working on his machine whose hostname is "HRStation01".

I, sitting at my sysadmin desk, only know that the username is "HRDrone". Any way i can find out that he is logged on to "HRStation01" without asking the user? AD event viewer? anything?

Thanks!

V. Romanov
  • 1,169
  • 1
  • 10
  • 19
  • Well, I haven't found any way to do it using generic windows or AD tools, but It turns out our AV system (SEP 11) stores the required info so I solved it using a VB script that queries the antivirus database. I guess a similar solution using another system such as SMS/SCOM could be used. – V. Romanov Nov 22 '11 at 11:20
  • https://social.technet.microsoft.com/wiki/contents/articles/20422.record-logon-logoff-activities-on-domain-servers-and-workstations-using-group-policy.aspx here is an alternative way to get this using a gpo – mike shone Jan 29 '18 at 20:47

6 Answers6

8

There is a great Sysinternals utility that will do just this for you - PsLoggedOn

Sam Cogan
  • 38,736
  • 6
  • 78
  • 114
  • Didn't twig psloggedon could scan the network for a particular user, I'd only used it to find who was on a particular machine. Thanks! – JamesOff Mar 04 '10 at 11:03
  • Checked it out. It seems interesting, but impractical for day-to-day use seeing as it takes literally hours to scan all the machines in the domain, crashing on computers that aren't connected and such. I'm looking for something more along the lines of an event log scanning. We have something similar in our antivirus system, where it logs every computer name and the user last logged on to it. I'm using that sometimes, but i wonder if there's something more "native" to windows. – V. Romanov Mar 04 '10 at 12:33
5

A cheap trick I often use is to look at the the "Sessions" listed under "Shared Folders" in the "Computer Management" console targeted at a file server computer where I know the subject user will have a "drive" "mapped".

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331
1

how about these in bat file as a user logon script Run it and you will see the fun 

mkdir %username% 
pushd %username% 
net config workstation > %computername%.txt

OR if you need in detail 

mkdir %username% 
pushd %username% 
@echo off
echo
echo I am logged on as %UserName%. >> %username%\%computername%.txt
echo My computer's name is %ComputerName%. >> %computername%.txt
echo %Date% >> %computername%.txt
echo %Time% >> %computername%.txt
echo My IP settings are >> %computername%.txt
ipconfig | find "." | find /i /v "suffix" >> %computername%.txt
getmac >> %computername%.txt
echo\

you can contact me for more scripts if you need it, its good learning for me aswell

kasperd
  • 30,455
  • 17
  • 76
  • 124
Asim Khan
  • 11
  • 1
0

I'm not sure there is something live, but the Security Event Log records logins from users. Accessing the Event log on the DCs should be able to give you this information. That is provided that information is being collected. I think that is a policy setting.

This page from Microsoft describes a really slow and complicated way to query the event logs: http://technet.microsoft.com/en-us/library/ee176699.aspx

I'm pretty sure this won't help you, but it might work as an audit. I.e who was logged in when the bad stuff happened!

Seanchán Torpéist
  • 1,868
  • 2
  • 14
  • 10
0

As a sysadmin, you could embed a routine in your logon script to store a .txt file with the username and hostname in it, or use sqlite.

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
Richard van den Berg
  • 1
0

I had to solve this problem for doing remote support throughout my company. Things like PsLoggedOn, and tools to scan the domain controller's security logs proved to be far too slow for my purposes (getting the hostname to do remote support for users). Here's what I came up with:

  • All users have an drive mapped to X: in AD under Profile - Home folder
  • Everyone has the below script assigned under Profile - Logon script

This script records what computer they logged into in their home folder. It specifically doesn't record them logging into our terminal server, because I don't care about such entries. 

'===============================================================
' Record the logon in their X: drive UNLESS they are on TERM-SERVER!
'===============================================================
If strComputerName <> "TERM-SRVER" Then
    strFile = "X:\login.txt"
    Set objFSO = CreateObject("Scripting.FileSystemObject")
    Set objTextFile = objFSO.OpenTextFile(strFile, 8, True)
    objTextFile.WriteLine(strIP + " - " + strComputerName + " - " + CStr(Date) + " " +     CStr(Time))
    objTextFile.Close
    ' Make it hidden
    Set objTextFile = objFSO.GetFile(strFile)
    objTextFile.Attributes = 2
End If

Then I use a bit of VBscript on my local machine to automatically find their home directory in AD, open the log file, and print out the last few lines.

Grant
  • 17,859
  • 14
  • 72
  • 103