It’s often good to know which computer a user is on right now, but historically that’s not that very easy to find – until FU that is.
The logic behind this command is that generally every user has a home drive, and that home drive is mapped during logon. The lanmanserver service on the file server has the session details of which user has connected from which computer/IP.
Therefore, by querying the win32_serversession of the file server, you can determine where users are connecting from, which will tell you the workstation they are currently working on.
Note that this command requires dsquery, dsget and WMIC. It also requires access to the file server to enumerate sessions (see below for more information).
You can run this at the command prompt:
Set user=%username%
for /f "tokens=2 delims=\" %i in ('"dsquery user -name %user% dsget user -hmdir find /i "%user%""') do @for /f "skip=1 tokens=1-3" %m in ('"wmic /node:"%i" path win32_serversession WHERE "UserName Like '%user%'" Get ComputerName,ActiveTime,IdleTime"') do @for /f "tokens=2" %q in ('"ping -a %n -n 1 find /i "pinging""') do @echo %q %user% %n %i %m %o
Note that you can also use partial username matches, the WMI query is a like clause.
I realise that’s not easy to type in, so you can use a doskey macro, by:
- Putting the command below in a text file (c:\windows\temp\macro.txt in this example)
- Running doskey /macrofile=c:\windows\temp\macro.txt
To make doskey load the macros every time you start a command shell, run:
reg add "HKEY_LOCAL_MACHINE\software\microsoft\command processor" /v autorun /t REG_SZ /d "doskey /macrofile=c:\windows\temp\macros.txt"
You can then run:
fu %username1% [%username2%] [%username3%]
Unfortunately, securing this is quite hard. I'm embarrassed to report that the user needs to be an administrator or 'server operator' of the file server. As far as I can tell this comes back to the NetSessionEnum() function, called by the Win32_Session WMI class when enumerating sessions.
The NetSessionEnum function call allows non-administrators to enumerate level 0 or 10, but it appears as though WMI always queries for level 1 or 2 (even if you only query the WMI class for user/computer). This is very disappointing, as in a secure environment you won’t want to let help desk/desktop support be server operators of your file servers, and these are the people who would find this command most useful.
I went some way towards seeing whether you could adjust a securable object/low-level security descriptor object (eg. through winobj) to expand the allowed access to this information, but was unsuccessful.
Some other thoughts:
- Psloggedon uses the netsessionenum function, and it does tell you that someone is logged on remotely, but unfortunately it doesn’t provide the computer, only the username and time.
- PowerShell could probably be used to call the NetSessionEnum function easily enough with the reduced information levels that don’t require administrative privileges
- Add a group to wmimgmt.msc to provide 'enable account' and 'remote enable' to the root\CIMv2 namespace.
- Add the same group to the local 'Distributed COM Users' (Server 2003) on each WMI target. This provides remote access for DCOM calls.
wmic /user:"%domain%\%user%" /node:"%fileServer%" path win32_operatingsystem
Note that users given this limited access cannot:
- Execute WMI methods
- Write data through WMI providers
References:
The Win32_ServerSession Windows Management Instrumentation class returns incorrect server session instances on a Windows Server 2003-based computer
http://support.microsoft.com/kb/903931
NetSessionEnum Function
http://msdn2.microsoft.com/en-us/library/bb525382(VS.85).aspx
Low-level Security Descriptor Functions
http://msdn2.microsoft.com/en-us/library/aa379204(VS.85).aspx
Securable Objects
http://msdn2.microsoft.com/en-us/library/aa379557(VS.85).aspx
Access to WMI Securable Objects
http://msdn2.microsoft.com/en-us/library/aa822576(VS.85).aspx
Wayne's World of IT (WWoIT), Copyright 2008 Wayne Martin.
No comments:
Post a Comment