It’s often good to know which computer a user is on right now, but historically that’s not that very easy to find – until FU that is. To make doskey load the macros every time you start a command shell, run: reg add "HKEY_LOCAL_MACHINE\software\microsoft\command processor" /v autorun /t REG_SZ /d "doskey /macrofile=c:\windows\temp\macros.txt" You can then run: fu %username1% [%username2%] [%username3%]
The logic behind this command is that generally every user has a home drive, and that home drive is mapped during logon. The lanmanserver service on the file server has the session details of which user has connected from which computer/IP.
Therefore, by querying the win32_serversession of the file server, you can determine where users are connecting from, which will tell you the workstation they are currently working on.
Note that this command requires dsquery, dsget and WMIC. It also requires access to the file server to enumerate sessions (see below for more information).
You can run this at the command prompt:
Set user=%username%
for /f "tokens=2 delims=\" %i in ('"dsquery user -name %user% dsget user -hmdir find /i "%user%""') do @for /f "skip=1 tokens=1-3" %m in ('"wmic /node:"%i" path win32_serversession WHERE "UserName Like '%user%'" Get ComputerName,ActiveTime,IdleTime"') do @for /f "tokens=2" %q in ('"ping -a %n -n 1 find /i "pinging""') do @echo %q %user% %n %i %m %o
Note that you can also use partial username matches, the WMI query is a like clause.
I realise that’s not easy to type in, so you can use a doskey macro, by:
Unfortunately, securing this is quite hard. I'm embarrassed to report that the user needs to be an administrator or 'server operator' of the file server. As far as I can tell this comes back to the NetSessionEnum() function, called by the Win32_Session WMI class when enumerating sessions.
The NetSessionEnum function call allows non-administrators to enumerate level 0 or 10, but it appears as though WMI always queries for level 1 or 2 (even if you only query the WMI class for user/computer). This is very disappointing, as in a secure environment you won’t want to let help desk/desktop support be server operators of your file servers, and these are the people who would find this command most useful.
I went some way towards seeing whether you could adjust a securable object/low-level security descriptor object (eg. through winobj) to expand the allowed access to this information, but was unsuccessful.
Some other thoughts:
As an aside, if you do want to allow non-administrators generic CIMv2 WMI access to a 2003 server, you can do this by:
After you've done this, a command such as the following should work:
wmic /user:"%domain%\%user%" /node:"%fileServer%" path win32_operatingsystem
Note that users given this limited access cannot:
References:
The Win32_ServerSession Windows Management Instrumentation class returns incorrect server session instances on a Windows Server 2003-based computer
http://support.microsoft.com/kb/903931
NetSessionEnum Function
http://msdn2.microsoft.com/en-us/library/bb525382(VS.85).aspx
Low-level Security Descriptor Functions
http://msdn2.microsoft.com/en-us/library/aa379204(VS.85).aspx
Securable Objects
http://msdn2.microsoft.com/en-us/library/aa379557(VS.85).aspx
Access to WMI Securable Objects
http://msdn2.microsoft.com/en-us/library/aa822576(VS.85).aspx
Wayne's World of IT (WWoIT), Copyright 2008 Wayne Martin.
Information regarding Windows Infrastructure, centred mostly around commandline automation and other useful bits of information.
No comments:
Post a Comment