Windows Login
Is there a way of knowing who and when was the last time a user login to a machine.
Thanks
Software/Hardware used:
Software/Hardware used:
ASKED:
February 15, 2006 7:50 AM
UPDATED:
March 28, 2006 10:41 AM
Answer Wiki:
Hi;
I just did a search on Google, you can find the information you require in the "Event Viewer" on my XP Pro its in Administrative Tools located in the Control Panel.
If you select the "System" view and then select the User column it will filter all events by User ID. I dont think this gives you exact Logon Times but will show you activity of various users.
To see all answers submitted to the Answer Wiki: View Answer History.
There are 2 ways
1) Looking at the last log in time for each user (I know the local PC has it but not too sure if a domain user creates the registry keys on the local PC). From this you can work out who was on last.
2) Enable successful (& failed) login (& logout) attempts using the security policy. This would show when someone attempted to log in/out and if someone attempted to log in with a bad password. This one would be better if you need to trace actions back in time. Where as the other one is constantly changed each time a user logs in.
– Nephi
If in active directory domain, download the Account Lockout and Management Tools suite which includes acctinfo.dll. This will give you a lot of info: last logon, password age, SID, GUID. In a standalone, if auditing is enabled for logon events, check the security eventlog
You can view the login/logout information in the event viewer. But before this is possible, you need to enable “audit Policies” under the Local Security Settings (Control Panel – Administrattive tools).
Select: Security settings – Local Policies – Audit policies. then you need to turn on Audit logon events (success and/or failures).
Note, if the computer is part of AD Domain, then you can do the changes through Group policies on the Domain controller.
Hope that helps!
This is a little different, but if you are wanting to programatically view user logins, not necessarily against an individual machine, but against the whole domain, you can use WMI scripts. Here is a sample script I use which writes to a local Access database.
Const ADS_SCOPE_SUBTREE = 2
on error resume next
Set objConnection = CreateObject(“ADODB.Connection”)
Set objCommand = CreateObject(“ADODB.Command”)
objConnection.Provider = “ADsDSOObject”
objConnection.Open “Active Directory Provider”
Set objCommand.ActiveConnection = objConnection
objCommand.Properties(“Page Size”) = 1000
objCommand.Properties(“Searchscope”) = ADS_SCOPE_SUBTREE
objCommand.CommandText = _
“SELECT ADsPath FROM ‘LDAP://ou=Users,dc=mydoman,dc=local’”
Set objRecordSet = objCommand.Execute
Set objConn = CreateObject(“ADODB.Connection”)
Set objRS = CreateObject(“ADODB.Recordset”)
objConn.Open “DSN=EventLogs;”
objRS.CursorLocation = 3
objRS.Open “SELECT * FROM Users” , objConn, 3, 3
objRecordSet.MoveFirst
Do Until objRecordSet.EOF ‘objRecordSet.Fields(“ADsPath”).Value
Set objOU = GetObject (objRecordSet.Fields(“ADsPath”).Value)
ObjOU.Filter= Array(“user”)
For Each objUser in objOU
objRS.AddNew
objRS(“OU”) = objRecordSet.Fields(“ADsPath”).Value
objRS(“User”) = objuser.sAMAccountName
objRS(“FullName”) = objuser.cn
objRS(“LastLogon”) = objuser.lastlogin
‘ objRS(“LastLogoff”) = objuser.lastlogoff
objRS.Update
Next
objRecordSet.MoveNext
Loop
objRS.Close
objConn.Close
Wscript.Echo “User Scan Complete”
Not to be a buzz kill to anyone but how about this “one liner” from the command prompt of one of your domain controllers
net user %username%
if you are unsure of the username just type “net user” and that will list your users.