Monday, May 5, 2008

Find where a user is logged on from

In a large environment, it's often useful to know which computer a user is logged on to, but historically that’s not that very easy to find – until FU that is.

The following command will tell you which workstation a user is logged in to, based on the assumption that your normal user account in Active Directory have a home drive set and automatically mapped when they logon. This assumes the file server hosting the user home drives is Windows 2000 or later.

To run, you'll need the dsquery/dsget utilities, and wmic, and a command prompt with a doskey macro to make it easier to run.

Set user=UserA
for /f "tokens=2 delims=\" %i in ('"dsquery user -name %user% dsget user -hmdir find /i "%user%""') do @for /f "skip=1 tokens=1-3" %m in ('"wmic /node:"%i" path win32_serversession WHERE "UserName Like '%user%'" Get ComputerName,ActiveTime,IdleTime"') do @for /f "tokens=2" %q in ('"ping -a %n -n 1 find /i "pinging""') do @echo %q %user% %n %i %m %o

I realise that’s not easy to type in, so you can use a doskey macro, by:
• Putting the command below in a text file
• Running doskey /macrofile=%path%\fu.txt (or modifying your command shell to run it automatically).

FU=for %g in ($1 $2 $3 $4 $5 $6 $7 $8 $9) do @for /f "tokens=2 delims=\" %i in ('"dsquery user -name %g dsget user -hmdir find /i "%g""') do @for /f "skip=1 tokens=1-3" %m in ('"wmic /node:"%i" path win32_serversession WHERE "UserName Like '%g'" Get ComputerName,ActiveTime,IdleTime"') do @for /f "tokens=2" %q in ('"ping -a %n -n 1 find /i "pinging""') do @echo %q %g %n %i %m %o

You can then run:

fu UserA UserA fileserver 123 11

Or specify up to 9 usernames, eg:

fu UserA UserB UserC UserD

Note that the major limitation of using WMI (this command) or the ADSI provider is that there is apparently no way of controlling the NetSessionEnum() call to specify the information level you require. Therefore, you'll need administrative privileges on the file server for this to work. See my post for a powershell equivalent that uses information level 10 instead of 502.

Granting WMI access to standard users is not enough, it seems access to Win32_ServerSession results in a call to NetSessionEnum, and regardless of the resultset you specify, access is denied unless you're an administrator. I went some way down the track of modifying the DACLs on securable objects to see whether the permission to enumerate sessions could be granted, but I couldn't find a method (using winobj mainly).

If you do want to grant WMI access for other reasons, on a Windows Server 2003 box, you can:

  1. Use wmimgmt.msc to provide 'enable account' and 'remote enable' to the root\CIMv2 namespace (assuming you are trying to access the root)
    Add a security group to the local 'Distributed COM Users' on the server. This provides remote access for DCOM calls.
  2. After doing this, a standard call to a normal class such as win32_operatingsystem works, but still not to win32_serversession. This does not grant the right to execute methods or write data.


The article below indicates that local administrative rights or server operator rights are required to enumerate sessions: NetSessionEnum Function

The Win32_ServerSession Windows Management Instrumentation class returns incorrect server session instances on a Windows Server 2003-based computer

Access to WMI Namespaces

Securing a Remote WMI Connection

DCOM Security Enhancements

Example: Getting WMI Data from a Remote Computer

Authorize WMI users and set permissions

How To Set WMI Namespace Security in Windows XP;en-us;295292

Low-level Security Descriptor Functions

Securable Objects

Access to WMI Securable Objects

Wayne's World of IT (WWoIT), Copyright 2008 Wayne Martin.

No comments:

All Posts

printQueue AD objects for 2003 ClusterVirtualCenter Physical to VirtualVirtual 2003 MSCS Cluster in ESX VI3
Finding duplicate DNS recordsCommand-line automation – Echo and macrosCommand-line automation – set
Command-line automation - errorlevels and ifCommand-line automation - find and findstrBuilding blocks of command-line automation - FOR
Useful PowerShell command-line operationsMSCS 2003 Cluster Virtual Server ComponentsServer-side process for simple file access
OpsMgr 2007 performance script - VMware datastores...Enumerating URLs in Internet ExplorerNTLM Trusts between 2003 and NT4
2003 Servers with Hibernation enabledReading Shortcuts with PowerShell and VBSModifying DLL Resources
Automatically mapping printersSimple string encryption with PowerShellUseful NTFS and security command-line operations
Useful Windows Printer command-line operationsUseful Windows MSCS Cluster command-line operation...Useful VMware ESX and VC command-line operations
Useful general command-line operationsUseful DNS, DHCP and WINS command-line operationsUseful Active Directory command-line operations
Useful command-linesCreating secedit templates with PowerShellFixing Permissions with NTFS intra-volume moves
Converting filetime with vbs and PowerShellDifference between bat and cmdReplica Domain for Authentication
Troubleshooting Windows PrintingRenaming a user account in ADOpsMgr 2007 Reports - Sorting, Filtering, Charting...
WMIC XSL CSV output formattingEnumerating File Server ResourcesWMIC Custom Alias and Format
AD site discoveryPassing Parameters between OpsMgr and SSRSAnalyzing Windows Kernel Dumps
Process list with command-line argumentsOpsMgr 2007 Customized Reporting - SQL QueriesPreventing accidental NTFS data moves
FSRM and NTFS Quotas in 2003 R2PowerShell Deleting NTFS Alternate Data StreamsNTFS links - reparse, symbolic, hard, junction
IE Warnings when files are executedPowerShell Low-level keyboard hookCross-forest authentication and GP processing
Deleting Invalid SMS 2003 Distribution PointsCross-forest authentication and site synchronizati...Determining AD attribute replication
AD Security vs Distribution GroupsTroubleshooting cross-forest trust secure channels...RIS cross-domain access
Large SMS Web Reports return Error 500Troubleshooting SMS 2003 MP and SLPRemotely determine physical memory
VMware SDK with PowershellSpinning Excel Pie ChartPoke-Info PowerShell script
Reading web content with PowerShellAutomated Cluster File Security and PurgingManaging printers at the command-line
File System Filters and minifiltersOpsMgr 2007 SSRS Reports using SQL 2005 XMLAccess Based Enumeration in 2003 and MSCS
Find VM snapshots in ESX/VCComparing MSCS/VMware/DFS File & PrintModifying Exchange mailbox permissions
Nested 'for /f' catch-allPowerShell FindFirstFileW bypassing MAX_PATHRunning PowerSell Scripts from ASP.Net
Binary <-> Hex String files with PowershellOpsMgr 2007 Current Performance InstancesImpersonating a user without passwords
Running a process in the secure winlogon desktopShadow an XP Terminal Services sessionFind where a user is logged on from
Active Directory _msdcs DNS zonesUnlocking XP/2003 without passwords2003 Cluster-enabled scheduled tasks
Purging aged files from the filesystemFinding customised ADM templates in ADDomain local security groups for cross-forest secu...
Account Management eventlog auditingVMware cluster/Virtual Center StatisticsRunning scheduled tasks as a non-administrator
Audit Windows 2003 print server usageActive Directory DiagnosticsViewing NTFS information with nfi and diskedit
Performance Tuning for 2003 File ServersChecking ESX/VC VMs for snapshotsShowing non-persistent devices in device manager
Implementing an MSCS 2003 server clusterFinding users on a subnetWMI filter for subnet filtered Group Policy
Testing DNS records for scavengingRefreshing Computer Account AD Group MembershipTesting Network Ports from Windows
Using Recovery Console with RISPAE Boot.ini Switch for DEP or 4GB+ memoryUsing 32-bit COM objects on x64 platforms
Active Directory Organizational Unit (OU) DesignTroubleshooting computer accounts in an Active Dir...260+ character MAX_PATH limitations in filenames
Create or modify a security template for NTFS perm...Find where a user is connecting from through WMISDDL syntax in secedit security templates

About Me

I’ve worked in IT for over 13 years, and I know just about enough to realise that I don’t know very much.