none
Last workstation user logon

    Question

  • Hi guys,

    i have a windows 2008 domain and a strange user that exist on and logon always at 5:00 AM ... (i think a schedulare scripts)

    I remember that exist a method (ldap attribute stored  it or cmdlet or shell command) for give where is the client where the user last login.

    Anybody can help me ?

    bye.

    Monday, April 23, 2012 11:49 AM

Answers

  • If all you need is the computer where this specific users logs on, you can use the following batch file as a logon script for this user:

    @echo off
    echo %date% %time% Logon %UserName% %ComputerName% >> \\MyServer\MyShare\LogTimes.log

    -----

    Substitute the server name and share name appropriate for your network, but the user must have read/write permissions in the share. Save this script in a file with a *.bat extension, like LogTime.bat, and save in the NetLogon share on a domain controller. Then in ADUC, select the problem user and view their properties. On the "Profile" tab enter the name of the logon script "LogTime.bat" in the field labeled "Logon script". Each time this specific user logs on, the batch file will run as a logon script and append a new line to the file LogTimes.log (the file is created the first time the script runs), assuming the user has permssions to write in the share. This will give you the user name, computer name, and date/time of each logon for this user.

    However, I agree with the suggestion that this sounds like a scheduled task that runs automatically.


    Richard Mueller - MVP Directory Services

    Monday, April 23, 2012 2:24 PM

All replies

  • You haven't provided much useful info.  There isn't a script run by Microsoft for any of what you speak of.  Could it be that you have a scheduled task that is starting this all up?  Could you post more details please.

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    Monday, April 23, 2012 11:53 AM
    Moderator
  • Hello,

    Richard has great scripts available, see for your problem http://www.rlmueller.net/Logon5.htm


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Monday, April 23, 2012 11:55 AM
  • Hello,

    These attributes may be useful for you:

    • WhenCreated: When the user was created
    • When Changed: When the last update on the user's account occured
    • lastlogon: The last time the user account logged on against a specific DC
    • lastlogontimestamp: The last time the user logged on (The value of this attribute may be wrong with 0-14 days difference

    You can read these attributes by using Attribute Editor, ADSIEdit or a script like the following:

    dsquery * DN -attr whencreated whenchanged lastlogon lastlogontimestamp

    where DN is the distinguished name of the user. Example: dsquery * "CN=user1, OU=User accounts, DC=DOMAIN, DC=COM" -attr whencreated whenchanged lastlogon lastlogontimestamp

    To get the source of logons, please see logged events in event viewer.


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.   

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    Monday, April 23, 2012 12:08 PM
  • Thanks to all,

    i have readed all reply.

    What i need to know is: a client computer name from the user logon in to domain is stored in same ldap attribute o variable ?

    example:

    domain: mydomain.com

    workstation:  mypc01.mydomain.com mypc02.mydomain.com , mypc03.....

    A user01 can logon on all workstation in the domain and i wan't know from where workstation user last logon did.

    If run the script logon5 write in a file  only the information for the account that run the script (my account). :(

    Thanks in advance.

    Monday, April 23, 2012 1:32 PM
  • As per my understanding, what workstations user is login is not being stored inside the AD. The only way you can find workstation name using event ID logged in the DC presuming auditing is enabled on the DC or domain. You can query either lastlogon(not replicated) or lastlogontimestamp(replicated to all DC) but not the name of the machine name user last logged on.

    http://blogs.technet.com/b/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx

    If you want to query lastlogontimestamp, you can also use oldcmp tool from the Joe.

    oldcmp (objectCategory=Computer) -report -format csv -b -llts dc=domain,dc=com
    oldcmp.exe -report -age 90 -llts -format csv

    http://www.joeware.net/freetools/tools/oldcmp/index.htm


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Monday, April 23, 2012 1:43 PM
    Moderator
  • If all you need is the computer where this specific users logs on, you can use the following batch file as a logon script for this user:

    @echo off
    echo %date% %time% Logon %UserName% %ComputerName% >> \\MyServer\MyShare\LogTimes.log

    -----

    Substitute the server name and share name appropriate for your network, but the user must have read/write permissions in the share. Save this script in a file with a *.bat extension, like LogTime.bat, and save in the NetLogon share on a domain controller. Then in ADUC, select the problem user and view their properties. On the "Profile" tab enter the name of the logon script "LogTime.bat" in the field labeled "Logon script". Each time this specific user logs on, the batch file will run as a logon script and append a new line to the file LogTimes.log (the file is created the first time the script runs), assuming the user has permssions to write in the share. This will give you the user name, computer name, and date/time of each logon for this user.

    However, I agree with the suggestion that this sounds like a scheduled task that runs automatically.


    Richard Mueller - MVP Directory Services

    Monday, April 23, 2012 2:24 PM
  • We had a request by management to track all logon/logoff events.  To do this we created Group Policies that run a Logon/Logoff script on each of our FileServers were users authenticate.  (Seperate policies for each OU were a different File server exists.)  Then, we run a batch process each night to gather all the "Log" data, post the data to an Access database, and then clear the logs for the next business day.  With this inforation, we are able to tell when a user logs on or off a PC (by the PC's AD Name) and the IP of the PC (we use hard coded IP addresses rather than DHCP).

    This is the command run in each of the scripts

    Logon

    ***********************************************

    echo OUName;Logon;%Date% %TIME%;%COMPUTERNAME%;%USERNAME%;%IP% >> "\\LocalFileServerName\Audit$\Domain.log"

    Logoff

    ***********************************************

    echo OUName;Logoff;%Date% %TIME%;%COMPUTERNAME%;%USERNAME%;%IP% >> "\\LocalFileServerName\Audit$\Domain.log"


    Chris Premo

    Monday, April 23, 2012 3:32 PM
  • Hi,
     
    As this thread has been quiet for a while, we assume that the issue has been resolved. At this time, we will mark it as ‘Answered’ as the previous steps should be helpful for many similar scenarios. If the issue still persists, please feel free to reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish.
     
    BTW, we’d love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts.
     
    Best Regards
     
    Kevin

    TechNet Community Support

    Friday, April 27, 2012 2:17 AM