Sunday, March 9, 2008

Find where a user is connecting from through WMI

It’s often good to know which computer a user is on right now, but historically that’s not that very easy to find – until FU that is.

The logic behind this command is that generally every user has a home drive, and that home drive is mapped during logon. The lanmanserver service on the file server has the session details of which user has connected from which computer/IP.

Therefore, by querying the win32_serversession of the file server, you can determine where users are connecting from, which will tell you the workstation they are currently working on.

Note that this command requires dsquery, dsget and WMIC. It also requires access to the file server to enumerate sessions (see below for more information).

You can run this at the command prompt:
Set user=%username%
for /f "tokens=2 delims=\" %i in ('"dsquery user -name %user% dsget user -hmdir find /i "%user%""') do @for /f "skip=1 tokens=1-3" %m in ('"wmic /node:"%i" path win32_serversession WHERE "UserName Like '%user%'" Get ComputerName,ActiveTime,IdleTime"') do @for /f "tokens=2" %q in ('"ping -a %n -n 1 find /i "pinging""') do @echo %q %user% %n %i %m %o

Note that you can also use partial username matches, the WMI query is a like clause.

I realise that’s not easy to type in, so you can use a doskey macro, by:

  • Putting the command below in a text file (c:\windows\temp\macro.txt in this example)
  • Running doskey /macrofile=c:\windows\temp\macro.txt

To make doskey load the macros every time you start a command shell, run:

reg add "HKEY_LOCAL_MACHINE\software\microsoft\command processor" /v autorun /t REG_SZ /d "doskey /macrofile=c:\windows\temp\macros.txt"

You can then run:

fu %username1% [%username2%] [%username3%]

Which will return the computername, username, IP address, active time and idle time of the user you’ve asked for.

Unfortunately, securing this is quite hard. I'm embarrassed to report that the user needs to be an administrator or 'server operator' of the file server. As far as I can tell this comes back to the NetSessionEnum() function, called by the Win32_Session WMI class when enumerating sessions.

The NetSessionEnum function call allows non-administrators to enumerate level 0 or 10, but it appears as though WMI always queries for level 1 or 2 (even if you only query the WMI class for user/computer). This is very disappointing, as in a secure environment you won’t want to let help desk/desktop support be server operators of your file servers, and these are the people who would find this command most useful.

I went some way towards seeing whether you could adjust a securable object/low-level security descriptor object (eg. through winobj) to expand the allowed access to this information, but was unsuccessful.

Some other thoughts:
  • Psloggedon uses the netsessionenum function, and it does tell you that someone is logged on remotely, but unfortunately it doesn’t provide the computer, only the username and time.
  • PowerShell could probably be used to call the NetSessionEnum function easily enough with the reduced information levels that don’t require administrative privileges
As an aside, if you do want to allow non-administrators generic CIMv2 WMI access to a 2003 server, you can do this by:
  • Add a group to wmimgmt.msc to provide 'enable account' and 'remote enable' to the root\CIMv2 namespace.
  • Add the same group to the local 'Distributed COM Users' (Server 2003) on each WMI target. This provides remote access for DCOM calls.
After you've done this, a command such as the following should work:
wmic /user:"%domain%\%user%" /node:"%fileServer%" path win32_operatingsystem

Note that users given this limited access cannot:
  • Execute WMI methods
  • Write data through WMI providers

The Win32_ServerSession Windows Management Instrumentation class returns incorrect server session instances on a Windows Server 2003-based computer

NetSessionEnum Function

Low-level Security Descriptor Functions

Securable Objects

Access to WMI Securable Objects

Wayne's World of IT (WWoIT), Copyright 2008 Wayne Martin.

No comments:

All Posts

printQueue AD objects for 2003 ClusterVirtualCenter Physical to VirtualVirtual 2003 MSCS Cluster in ESX VI3
Finding duplicate DNS recordsCommand-line automation – Echo and macrosCommand-line automation – set
Command-line automation - errorlevels and ifCommand-line automation - find and findstrBuilding blocks of command-line automation - FOR
Useful PowerShell command-line operationsMSCS 2003 Cluster Virtual Server ComponentsServer-side process for simple file access
OpsMgr 2007 performance script - VMware datastores...Enumerating URLs in Internet ExplorerNTLM Trusts between 2003 and NT4
2003 Servers with Hibernation enabledReading Shortcuts with PowerShell and VBSModifying DLL Resources
Automatically mapping printersSimple string encryption with PowerShellUseful NTFS and security command-line operations
Useful Windows Printer command-line operationsUseful Windows MSCS Cluster command-line operation...Useful VMware ESX and VC command-line operations
Useful general command-line operationsUseful DNS, DHCP and WINS command-line operationsUseful Active Directory command-line operations
Useful command-linesCreating secedit templates with PowerShellFixing Permissions with NTFS intra-volume moves
Converting filetime with vbs and PowerShellDifference between bat and cmdReplica Domain for Authentication
Troubleshooting Windows PrintingRenaming a user account in ADOpsMgr 2007 Reports - Sorting, Filtering, Charting...
WMIC XSL CSV output formattingEnumerating File Server ResourcesWMIC Custom Alias and Format
AD site discoveryPassing Parameters between OpsMgr and SSRSAnalyzing Windows Kernel Dumps
Process list with command-line argumentsOpsMgr 2007 Customized Reporting - SQL QueriesPreventing accidental NTFS data moves
FSRM and NTFS Quotas in 2003 R2PowerShell Deleting NTFS Alternate Data StreamsNTFS links - reparse, symbolic, hard, junction
IE Warnings when files are executedPowerShell Low-level keyboard hookCross-forest authentication and GP processing
Deleting Invalid SMS 2003 Distribution PointsCross-forest authentication and site synchronizati...Determining AD attribute replication
AD Security vs Distribution GroupsTroubleshooting cross-forest trust secure channels...RIS cross-domain access
Large SMS Web Reports return Error 500Troubleshooting SMS 2003 MP and SLPRemotely determine physical memory
VMware SDK with PowershellSpinning Excel Pie ChartPoke-Info PowerShell script
Reading web content with PowerShellAutomated Cluster File Security and PurgingManaging printers at the command-line
File System Filters and minifiltersOpsMgr 2007 SSRS Reports using SQL 2005 XMLAccess Based Enumeration in 2003 and MSCS
Find VM snapshots in ESX/VCComparing MSCS/VMware/DFS File & PrintModifying Exchange mailbox permissions
Nested 'for /f' catch-allPowerShell FindFirstFileW bypassing MAX_PATHRunning PowerSell Scripts from ASP.Net
Binary <-> Hex String files with PowershellOpsMgr 2007 Current Performance InstancesImpersonating a user without passwords
Running a process in the secure winlogon desktopShadow an XP Terminal Services sessionFind where a user is logged on from
Active Directory _msdcs DNS zonesUnlocking XP/2003 without passwords2003 Cluster-enabled scheduled tasks
Purging aged files from the filesystemFinding customised ADM templates in ADDomain local security groups for cross-forest secu...
Account Management eventlog auditingVMware cluster/Virtual Center StatisticsRunning scheduled tasks as a non-administrator
Audit Windows 2003 print server usageActive Directory DiagnosticsViewing NTFS information with nfi and diskedit
Performance Tuning for 2003 File ServersChecking ESX/VC VMs for snapshotsShowing non-persistent devices in device manager
Implementing an MSCS 2003 server clusterFinding users on a subnetWMI filter for subnet filtered Group Policy
Testing DNS records for scavengingRefreshing Computer Account AD Group MembershipTesting Network Ports from Windows
Using Recovery Console with RISPAE Boot.ini Switch for DEP or 4GB+ memoryUsing 32-bit COM objects on x64 platforms
Active Directory Organizational Unit (OU) DesignTroubleshooting computer accounts in an Active Dir...260+ character MAX_PATH limitations in filenames
Create or modify a security template for NTFS perm...Find where a user is connecting from through WMISDDL syntax in secedit security templates

About Me

I’ve worked in IT for over 13 years, and I know just about enough to realise that I don’t know very much.