| Author | Messages | |
SWD
Posts:0
 | | 04/26/2007 5:06 AM |
| Hi,
Is
the computer name a user last logged onto held in Active Directory somewhere? I
would like to extract this with a script if possible.
Thanks
Steve | | | |
| listmail
Posts:824
| | 04/26/2007 1:12 AM |
| I don't have a problem with DAs logging into DCs, it just
shouldn't need to happen a whole lot. And by DA, I mean someone I would feel is
qualified to be a DA, not someone who happens to be in the DA group. This isn't
not a fine lined distinction, there are a lot of people who have DA rights that
are not, in my opinon worthy of being a DA except maybe on the domain they run
on VMWARE in the corner of their basement. Those unworthy are folks who solve
problems bychanging things withoutproper troubleshooting and
understanding of the issue or don't have a real clue on howWindows
security works by say thinking thatgiving out ServOps rights to folks on
DCs is perfectly safe.
So many people think they need DAand other rights on
domains to get real work done or troubleshoot or learn about the environment
butI think folks like Dean and I and many other truly knowledgeable folks
prove that pretty regularly to not be the case in many many customers
environments. I haven't had DA rightssince early 2004 and I can tell you
thatI at least think I have solved a ton of issues in that time.If I
am not solving the problems, then I am getting paid prettywell to just sit
around. :) So word to the folks out there, understand why are you giving
out DA rights in every case. Don't give out the other builtin rights, seriously,
it is trivial for that security to be bypassed and escalations to occur. You may
think, oh, but it is just to prevent mistakes, my folks aren't attacking us,
just stupid, I hear that often and it makes me chuckle. If you don't trust them
to be DAs, don't put them in a positon where they can attain it or some rogue
program can attain it. It wouldn't take much for aprogrammer with an
attitude toput out an executable that those serv ops would be interested
in running that could do a lot of damage.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al
MulnickSent: Thursday, April 26, 2007 11:47 AMTo:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Computer user
last logged on?
You'd let somebody log on locally to a domain
controller and would expect it? Not sure the value of having that
information so it's really hard to tell if this is worth the effort. But as
Brian mentioned, unless your scope is really small and not very busy, then you'd
likely want to collect the information out of band. By that I mean, have
the local host push it at some point after the logon process completes.
This indicates an agent based approach that can withstand high-cpu, high disk
usage, and other parameters that might be affected by collecting nice to have
information ( i.e. information not needed for the daily tasks the end user is
expected to perform. ) To add to joe's comments below, you'd want to
create a toolset for the intended audience so that you can meet your goal of
single tool access to the data. Note that not doing that would most likely
have excluded your ability to write to the computer object anyway, but that's a
moot point now. It might be best to start thinking of the entire
solution since you'll have to have a toolset for the consumers anyway.
That might help to narrow your search for the ideal solution in your
environment. -al
On 4/26/07, joe
wrote:
First
let's clarify terminology, I think you mean computer the user last
interactively logged into.This would cover RDP and local logons. This
would explicitly exclude runas (or cpau) use, network drives connected with
alternate credentials, things such as telnet, ftp, web use, and other remote
service interface use. For real life example here, it would mean you should
never see a Domain Admin ID listed as logging into anything but a Domain
Controller or a member server completely owned and operated by Domain Admins
(reason will be an exercise for the class).
Now with
that clarification, no, AD doesn't keep this info. It could if you really
wanted it to but that would be something you put together and then AD would be
just one possible source of this info.
The basic
solutions are
1.
Scrape the event log with something and coalesce that
data.
2. Have
the user's logon script write it somewhere.
Implementation of either can vary wildy with more or less work having
to be done on your part to make the magic happen. Understanding your
environments break points / weak links is critical to do this properly.
Someone with 20 users ( hey bob, where did you
last logon at?)will or very likely have a solution that is pretty
different from someone with 20,000 users (maybe single centralized system
getting updates or item #1 via scripts or agented or agentless monitoring) or
someone with 200,000 users (serious distributed or fire and forget update type
setup or item #1 with more official event log scraping software like MOM (or
other name of the week), OVO, etc or if you are a really good large scale
environment coder you could come up with something).
As
Brian has evangalized MOM/OpsMgr is a good valid solution. I wouldn't buy it
just for this but it is a good addon. If you have any monitoring software This
is probably the easiest for most people.
For #2 you
have a variety of update mechanisms, some that I have seen in production (not
in any meaningful order)
A. Update
file in a folder.
B. Add a
file to a folder (so you can give just add rights)
C. Tap a
DB (such as MSSQL, Access, MySQL, AD, ADAM,other LDAP
store,etc)
D. Use
someform of distributed messagingsuchas WebSubmission,
Email, Message Queuing package, etc.
joe
--
O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
Steven WoodSent: Thursday, April 26, 2007 5:06 AMTo: ActiveDir@mail.activedir.orgSubject:
[ActiveDir] Computer user last logged on?
Hi,
Is the computer name a user last logged onto
held in Active Directory somewhere? I would like to extract this with a script
if possible.
Thanks
Steve | | | |
| amulnick
Posts:163
| | 04/26/2007 1:21 AM |
| Sometimes joe, I can barely figure out what your opinion is on something. Maddening as it sounds, you're just too wishy-washy for me sometimes. :)Fair enough. Personally, I see very little reason for a DA to ever log on to a production DC and prefer that they never do so unless and until there is a change to be made. Until then, everything else should be done elsewhere. Kind of a "Break glass when needed" approach vs. having them log on regularly. I can't begin to tell how many times I walk into an environment and see DA rights a) liberally given out b) no tools to manage anywhere except on the DC's and c) deer in the headlight-like stares when the entire system crashes and nobody is able to get any work done at all. Which often leads to the next interesting conversation about actually constitutes a DR trigger event, but I digress.
Before I hijack the OP's post any further, I just wanted to be sure I understood the meaning you were intending. You had me worried you might be slipping or something. -ajm
On 4/26/07, joe wrote:
I don't have a problem with DAs logging into DCs, it just
shouldn't need to happen a whole lot. And by DA, I mean someone I would feel is
qualified to be a DA, not someone who happens to be in the DA group. This isn't
not a fine lined distinction, there are a lot of people who have DA rights that
are not, in my opinon worthy of being a DA except maybe on the domain they run
on VMWARE in the corner of their basement. Those unworthy are folks who solve
problems bychanging things withoutproper troubleshooting and
understanding of the issue or don't have a real clue on howWindows
security works by say thinking thatgiving out ServOps rights to folks on
DCs is perfectly safe.
So many people think they need DAand other rights on
domains to get real work done or troubleshoot or learn about the environment
butI think folks like Dean and I and many other truly knowledgeable folks
prove that pretty regularly to not be the case in many many customers
environments. I haven't had DA rightssince early 2004 and I can tell you
thatI at least think I have solved a ton of issues in that time.If I
am not solving the problems, then I am getting paid prettywell to just sit
around. :) So word to the folks out there, understand why are you giving
out DA rights in every case. Don't give out the other builtin rights, seriously,
it is trivial for that security to be bypassed and escalations to occur. You may
think, oh, but it is just to prevent mistakes, my folks aren't attacking us,
just stupid, I hear that often and it makes me chuckle. If you don't trust them
to be DAs, don't put them in a positon where they can attain it or some rogue
program can attain it. It wouldn't take much for aprogrammer with an
attitude toput out an executable that those serv ops would be interested
in running that could do a lot of damage.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al
MulnickSent: Thursday, April 26, 2007 11:47 AMTo:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Computer user
last logged on?
You'd let somebody log on locally to a domain
controller and would expect it? Not sure the value of having that
information so it's really hard to tell if this is worth the effort. But as
Brian mentioned, unless your scope is really small and not very busy, then you'd
likely want to collect the information out of band. By that I mean, have
the local host push it at some point after the logon process completes.
This indicates an agent based approach that can withstand high-cpu, high disk
usage, and other parameters that might be affected by collecting nice to have
information ( i.e. information not needed for the daily tasks the end user is
expected to perform. ) To add to joe's comments below, you'd want to
create a toolset for the intended audience so that you can meet your goal of
single tool access to the data. Note that not doing that would most likely
have excluded your ability to write to the computer object anyway, but that's a
moot point now. It might be best to start thinking of the entire
solution since you'll have to have a toolset for the consumers anyway.
That might help to narrow your search for the ideal solution in your
environment. -al
On 4/26/07, joe
wrote:
First
let's clarify terminology, I think you mean computer the user last
interactively logged into.This would cover RDP and local logons. This
would explicitly exclude runas (or cpau) use, network drives connected with
alternate credentials, things such as telnet, ftp, web use, and other remote
service interface use. For real life example here, it would mean you should
never see a Domain Admin ID listed as logging into anything but a Domain
Controller or a member server completely owned and operated by Domain Admins
(reason will be an exercise for the class).
Now with
that clarification, no, AD doesn't keep this info. It could if you really
wanted it to but that would be something you put together and then AD would be
just one possible source of this info.
The basic
solutions are
1.
Scrape the event log with something and coalesce that
data.
2. Have
the user's logon script write it somewhere.
Implementation of either can vary wildy with more or less work having
to be done on your part to make the magic happen. Understanding your
environments break points / weak links is critical to do this properly.
Someone with 20 users ( hey bob, where did you
last logon at?)will or very likely have a solution that is pretty
different from someone with 20,000 users (maybe single centralized system
getting updates or item #1 via scripts or agented or agentless monitoring) or
someone with 200,000 users (serious distributed or fire and forget update type
setup or item #1 with more official event log scraping software like MOM (or
other name of the week), OVO, etc or if you are a really good large scale
environment coder you could come up with something).
As
Brian has evangalized MOM/OpsMgr is a good valid solution. I wouldn't buy it
just for this but it is a good addon. If you have any monitoring software This
is probably the easiest for most people.
For #2 you
have a variety of update mechanisms, some that I have seen in production (not
in any meaningful order)
A. Update
file in a folder.
B. Add a
file to a folder (so you can give just add rights)
C. Tap a
DB (such as MSSQL, Access, MySQL, AD, ADAM,other LDAP
store,etc)
D. Use
someform of distributed messagingsuchas WebSubmission,
Email, Message Queuing package, etc.
joe
--
O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org [mailto:
ActiveDir-owner@mail.activedir.org] On Behalf Of
Steven WoodSent: Thursday, April 26, 2007 5:06 AMTo: ActiveDir@mail.activedir.org
Subject:
[ActiveDir] Computer user last logged on?
Hi,
Is the computer name a user last logged onto
held in Active Directory somewhere? I would like to extract this with a script
if possible.
Thanks
Steve | | | |
| listmail
Posts:824
| | 04/26/2007 4:36 AM |
| =) Most folks tend to understand my opinion and where they
stand with me pretty quickly. Cut to the chase you know? I am not into the whole
PC thing. It wastes time and causes confusion.
Completely concur and I could probably add considerable
numbers to your counts on the items you specified. If DAs are logging into DCs
on a regular basis that would be indicative of a problem to me. Most likely a DA
staff that is under informed on how to manage/troubleshoot AD. Again, been
troubleshooting this stuff in my current job of high end problem killer guy for
almost 3 years now without ever logging into a DC or even having rights
exceeding Domain user with Exchange View. Not that people don't try to give me
the rights, but I refuse them every time. It always bothers me if I walk in a
door and an admin is willing to give me the keys to their environment within the
first couple of days of me being there. Makes me wonder how qualified everyone
is because they seem a bit quick to give the rights out.
Certainly I have slipped a couple of cogs and am dead tired
from hardly sleeping at DEC but that impacts my loquaciousness (I become over
talkative and offer up too much info) not my stance on properly running an
environment and how DCs should be treated. ;o)
joe
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al
MulnickSent: Thursday, April 26, 2007 1:22 PMTo:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Computer user
last logged on?
Sometimes joe, I can barely figure out what your opinion is on
something. Maddening as it sounds, you're just too wishy-washy for me
sometimes. :)Fair enough. Personally, I see very little reason for
a DA to ever log on to a production DC and prefer that they never do so unless
and until there is a change to be made. Until then, everything else should
be done elsewhere. Kind of a "Break glass when needed" approach vs. having them
log on regularly. I can't begin to tell how many times I walk into an
environment and see DA rights a) liberally given out b) no tools to manage
anywhere except on the DC's and c) deer in the headlight-like stares when the
entire system crashes and nobody is able to get any work done at all. Which
often leads to the next interesting conversation about actually constitutes a DR
trigger event, but I digress. Before I hijack the OP's post any further,
I just wanted to be sure I understood the meaning you were intending. You
had me worried you might be slipping or something. -ajm
On 4/26/07, joe
wrote:
I don't
have a problem with DAs logging into DCs, it just shouldn't need to happen a
whole lot. And by DA, I mean someone I would feel is qualified to be a DA, not
someone who happens to be in the DA group. This isn't not a fine lined
distinction, there are a lot of people who have DA rights that are not, in my
opinon worthy of being a DA except maybe on the domain they run on VMWARE in
the corner of their basement. Those unworthy are folks who solve problems
bychanging things withoutproper troubleshooting and understanding
of the issue or don't have a real clue on howWindows security works by
say thinking thatgiving out ServOps rights to folks on DCs is perfectly
safe.
So many
people think they need DAand other rights on domains to get real work
done or troubleshoot or learn about the environment butI think folks
like Dean and I and many other truly knowledgeable folks prove that pretty
regularly to not be the case in many many customers environments. I haven't
had DA rightssince early 2004 and I can tell you thatI at least
think I have solved a ton of issues in that time.If I am not solving the
problems, then I am getting paid prettywell to just sit around. :)
So word to the folks out there, understand why are you giving out DA rights in
every case. Don't give out the other builtin rights, seriously, it is trivial
for that security to be bypassed and escalations to occur. You may think, oh,
but it is just to prevent mistakes, my folks aren't attacking us, just stupid,
I hear that often and it makes me chuckle. If you don't trust them to be DAs,
don't put them in a positon where they can attain it or some rogue program can
attain it. It wouldn't take much for aprogrammer with an attitude
toput out an executable that those serv ops would be interested in
running that could do a lot of damage.
--
O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al
MulnickSent: Thursday, April 26, 2007 11:47 AMTo: ActiveDir@mail.activedir.orgSubject: Re:
[ActiveDir] Computer user last logged on?
You'd let somebody log on locally to a domain
controller and would expect it? Not sure the value of having that
information so it's really hard to tell if this is worth the effort. But as
Brian mentioned, unless your scope is really small and not very busy, then
you'd likely want to collect the information out of band. By that I
mean, have the local host push it at some point after the logon process
completes. This indicates an agent based approach that can withstand
high-cpu, high disk usage, and other parameters that might be affected by
collecting nice to have information ( i.e. information not needed for the
daily tasks the end user is expected to perform. ) To add to joe's
comments below, you'd want to create a toolset for the intended audience so
that you can meet your goal of single tool access to the data. Note that
not doing that would most likely have excluded your ability to write to the
computer object anyway, but that's a moot point now. It might be best
to start thinking of the entire solution since you'll have to have a toolset
for the consumers anyway. That might help to narrow your search for the
ideal solution in your environment. -al
On 4/26/07, joe
wrote:
First
let's clarify terminology, I think you mean computer the user last
interactively logged into.This would cover RDP and local logons. This
would explicitly exclude runas (or cpau) use, network drives connected with
alternate credentials, things such as telnet, ftp, web use, and other remote
service interface use. For real life example here, it would mean you should
never see a Domain Admin ID listed as logging into anything but a Domain
Controller or a member server completely owned and operated by Domain Admins
(reason will be an exercise for the class).
Now with
that clarification, no, AD doesn't keep this info. It could if you really
wanted it to but that would be something you put together and then AD would
be just one possible source of this info.
The
basic solutions are
1.
Scrape the event log with something and coalesce that
data.
2. Have
the user's logon script write it somewhere.
Implementation of either can vary wildy with more or less work having
to be done on your part to make the magic happen. Understanding your
environments break points / weak links is critical to do this properly.
Someone with 20 users ( hey bob, where did
you last logon at?)will or very likely have a solution that is pretty
different from someone with 20,000 users (maybe single centralized system
getting updates or item #1 via scripts or agented or agentless monitoring)
or someone with 200,000 users (serious distributed or fire and forget update
type setup or item #1 with more official event log scraping software like
MOM (or other name of the week), OVO, etc or if you are a really good large
scale environment coder you could come up with
something).
As
Brian has evangalized MOM/OpsMgr is a good valid solution. I wouldn't buy it
just for this but it is a good addon. If you have any monitoring software
This is probably the easiest for most people.
For #2
you have a variety of update mechanisms, some that I have seen in production
(not in any meaningful order)
A.
Update file in a folder.
B. Add a
file to a folder (so you can give just add rights)
C. Tap a
DB (such as MSSQL, Access, MySQL, AD, ADAM,other LDAP
store,etc)
D. Use
someform of distributed messagingsuchas
WebSubmission, Email, Message Queuing package,
etc.
joe
--
O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org [mailto: ActiveDir-owner@mail.activedir.org] On Behalf Of
Steven WoodSent: Thursday, April 26, 2007 5:06
AMTo: ActiveDir@mail.activedir.org Subject:
[ActiveDir] Computer user last logged on?
Hi,
Is the computer name a user last logged
onto held in Active Directory somewhere? I would like to extract this with a
script if possible.
Thanks
Steve | | | |
| bdesmond
Posts:996
| | 04/26/2007 6:09 AM |
| No. You would have to mine the security logs of every DC in your
forest.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of Steven Wood
Sent: Thursday, April 26, 2007 5:06 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Computer user last logged on?
Hi,
Is
the computer name a user last logged onto held in Active Directory somewhere? I
would like to extract this with a script if possible.
Thanks
Steve | | | |
| SteveRochford
Posts:10
| | 04/26/2007 6:55 AM |
| A solution may be to add something to the login/logoff scripts
to record the user logon details to (say) a SQL database – this can then be
easily queried for any info you need (and I’ve found this easier than trying to
query DC logs)
Steve
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Steven Wood
Sent: 26 April 2007 10:06
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Computer user last logged on?
Hi,
Is
the computer name a user last logged onto held in Active Directory somewhere? I
would like to extract this with a script if possible.
Thanks
Steve | | | |
| bdesmond
Posts:996
| | 04/26/2007 7:09 AM |
| Works great in a small centralized environment – distributed with
hundreds of thousands of users … probably not so great.
If it were me I’d go with a product with features designed for
this (e.g. MS OpsMgr) – stream whatever security events you want to a database
in near real time.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of Steve Rochford
Sent: Thursday, April 26, 2007 6:56 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Computer user last logged on?
A solution may be to add something to the login/logoff scripts
to record the user logon details to (say) a SQL database – this can then be
easily queried for any info you need (and I’ve found this easier than trying to
query DC logs)
Steve
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of Steven Wood
Sent: 26 April 2007 10:06
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Computer user last logged on?
Hi,
Is
the computer name a user last logged onto held in Active Directory somewhere? I
would like to extract this with a script if possible.
Thanks
Steve | | | |
| davewade
Posts:119
| | 04/26/2007 7:18 AM |
| I think that that requires carefull design to make sure the server is not an single point of failure,. You could do something simple such as adding
echo %username%,%computername%,%date%,%time% >>\\%logonserver%\\mylogs\\logondata.txt
to the logon script but then you would have to be carefull the logs did not over flow. If you have multiple time zones things might go wrong. etc etc...
Dave Wade
0161 474 5456
________________________________
From: ActiveDir-owner@mail.activedir.org on behalf of Steve Rochford
Sent: Thu 26/04/2007 11:55
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Computer user last logged on?
A solution may be to add something to the login/logoff scripts to record the user logon details to (say) a SQL database - this can then be easily queried for any info you need (and I've found this easier than trying to query DC logs)
Steve
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Steven Wood
Sent: 26 April 2007 10:06
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Computer user last logged on?
Hi,
Is the computer name a user last logged onto held in Active Directory somewhere? I would like to extract this with a script if possible.
Thanks
Steve
**********************************************************************
This email, and any files transmitted with it, is confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act.
If you receive this email in error please notify Stockport e-Services via email.query@stockport.gov.uk and then permanently remove it from your system.
Thank you.
http://www.stockport.gov.uk
********************************************************************** | | | |
| bdesmond
Posts:996
| | 04/26/2007 7:25 AM |
| v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
What’s to stop the end user from deleting the contents of
logondata.txt?
Clustering a SQL server with 205 is easy and cheap – you don’t
even need a SAN anymore. Removes your single point of failure (you can even
geocluster with the new mirroring stuff).
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of Dave Wade
Sent: Thursday, April 26, 2007 7:18 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Computer user last logged on?
I think that that requires carefull design to make sure the server
is not an single point of failure,. You could do something simple such as
adding
echo
%username%,%computername%,%date%,%time% >>\\%logonserver%\\mylogs\\logondata.txt
to
the logon scriptbut then you would have to be carefull the logs did not
over flow. If you have multiple time zones things might go wrong. etc etc...
Dave Wade
0161 474 5456
From:
ActiveDir-owner@mail.activedir.org on behalf of Steve Rochford
Sent: Thu 26/04/2007 11:55
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Computer user last logged on?
A solution may be to add something to the login/logoff scripts
to record the user logon details to (say) a SQL database – this can then be
easily queried for any info you need (and I’ve found this easier than trying to
query DC logs)
Steve
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Steven Wood
Sent: 26 April 2007 10:06
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Computer user last logged on?
Hi,
Is
the computer name a user last logged onto held in Active Directory somewhere? I
would like to extract this with a script if possible.
Thanks
Steve
**********************************************************************
This email, and any files transmitted with
it, is confidential and
intended solely for the use of the
individual or entity to whom they
are addressed. As a public body, the
Council may be required to disclose this email, or any response to it, under
the Freedom of Information Act 2000, unless the information in it is covered by
one of the exemptions in the Act.
If you receive this email in error please
notify Stockport e-Services via email.query@stockport.gov.uk and then
permanently remove it from your system.
Thank you.
http://www.stockport.gov.uk
********************************************************************** | | | |
| SteveRochford
Posts:10
| | 04/26/2007 10:24 AM |
| We’ve actually done it so that the login script calls a an
intranet web page with appropriate parameters. Not sure how scalable this would
be but I imagine you could cluster web servers or load balance (or even just
make the script use different servers dependent on location) – we’ve only got
about 2,500 computers so I don’t have to worry about the really big things :-)
Steve
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: 26 April 2007 12:09
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Computer user last logged on?
Works great in a small centralized
environment – distributed with hundreds of thousands of users … probably not so
great.
If it were me I’d go with a product
with features designed for this (e.g. MS OpsMgr) – stream whatever security
events you want to a database in near real time.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Steve Rochford
Sent: Thursday, April 26, 2007 6:56 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Computer user last logged on?
A solution may be to add something to the login/logoff scripts
to record the user logon details to (say) a SQL database – this can then be
easily queried for any info you need (and I’ve found this easier than trying to
query DC logs)
Steve
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Steven Wood
Sent: 26 April 2007 10:06
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Computer user last logged on?
Hi,
Is
the computer name a user last logged onto held in Active Directory somewhere? I
would like to extract this with a script if possible.
Thanks
Steve | | | |
| sbradcpa
Posts:496
| | 04/26/2007 10:34 AM |
| Stupid question alert... anything new on this in Vista/Longhorn? Just
wondering.
Steve Rochford wrote:
We’ve
actually done it so that the login script calls a an
intranet web page with appropriate parameters. Not sure how scalable
this would
be but I imagine you could cluster web servers or load balance (or even
just
make the script use different servers dependent on location) – we’ve
only got
about 2,500 computers so I don’t have to worry about the really big
things :-)
Steve
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian
Desmond
Sent: 26 April 2007 12:09
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Computer user last logged on?
Works great in a small centralized
environment – distributed with hundreds of thousands of users …
probably not so
great.
If it were me I’d go with a product
with features designed for this (e.g. MS OpsMgr) – stream whatever
security
events you want to a database in near real time.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Steve
Rochford
Sent: Thursday, April 26, 2007 6:56 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Computer user last logged on?
A
solution may be to add something to the login/logoff scripts
to record the user logon details to (say) a SQL database – this can
then be
easily queried for any info you need (and I’ve found this easier than
trying to
query DC logs)
Steve
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Steven
Wood
Sent: 26 April 2007 10:06
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Computer user last logged on?
Hi,
Is
the computer name a user last logged onto held in Active Directory
somewhere? I
would like to extract this with a script if possible.
Thanks
Steve
--
If you are a SBSer... you had better be reading http://blogs.technet.com/sbs - the SBS Blog.
..and my blog is at www.sbsdiva.com....
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| bdesmond
Posts:996
| | 04/26/2007 10:42 AM |
| No just use ACS in OpsMgr and collect the events.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Thursday, April 26, 2007 10:34 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Computer user last logged on?
Stupid question alert... anything new on this in
Vista/Longhorn? Just wondering.
Steve Rochford wrote:
We’ve actually done it so that the login script calls a an
intranet web page with appropriate parameters. Not sure how scalable this would
be but I imagine you could cluster web servers or load balance (or even just
make the script use different servers dependent on location) – we’ve only got
about 2,500 computers so I don’t have to worry about the really big things :-)
Steve
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Brian Desmond
Sent: 26 April 2007 12:09
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Computer user last logged on?
Works great in a small centralized environment – distributed
with hundreds of thousands of users … probably not so great.
If it were me I’d go with a product with features designed for
this (e.g. MS OpsMgr) – stream whatever security events you want to a database
in near real time.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Steve Rochford
Sent: Thursday, April 26, 2007 6:56 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Computer user last logged on?
A solution may be to add something to the login/logoff scripts
to record the user logon details to (say) a SQL database – this can then be
easily queried for any info you need (and I’ve found this easier than trying to
query DC logs)
Steve
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Steven Wood
Sent: 26 April 2007 10:06
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Computer user last logged on?
Hi,
Is
the computer name a user last logged onto held in Active Directory somewhere? I
would like to extract this with a script if possible.
Thanks
Steve
-- If you are a SBSer... you had better be reading http://blogs.technet.com/sbs - the SBS Blog...and my blog is at www.sbsdiva.com....
List info :
http://www.activedir.org/List.aspx List FAQ :
http://www.activedir.org/ListFAQ.aspx List archive:
http://www.activedir.org/ma/default.aspx | | | |
| bdesmond
Posts:996
| | 04/26/2007 10:42 AM |
| HTTP call as a lot of overhead relatively speaking, but if it
works for you that’s great!
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of Steve Rochford
Sent: Thursday, April 26, 2007 10:25 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Computer user last logged on?
We’ve actually done it so that the login script calls a an
intranet web page with appropriate parameters. Not sure how scalable this would
be but I imagine you could cluster web servers or load balance (or even just
make the script use different servers dependent on location) – we’ve only got
about 2,500 computers so I don’t have to worry about the really big things :-)
Steve
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: 26 April 2007 12:09
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Computer user last logged on?
Works great in a small centralized environment – distributed
with hundreds of thousands of users … probably not so great.
If it were me I’d go with a product with features designed for
this (e.g. MS OpsMgr) – stream whatever security events you want to a database
in near real time.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of Steve Rochford
Sent: Thursday, April 26, 2007 6:56 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Computer user last logged on?
A solution may be to add something to the login/logoff scripts
to record the user logon details to (say) a SQL database – this can then be
easily queried for any info you need (and I’ve found this easier than trying to
query DC logs)
Steve
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of Steven Wood
Sent: 26 April 2007 10:06
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Computer user last logged on?
Hi,
Is
the computer name a user last logged onto held in Active Directory somewhere? I
would like to extract this with a script if possible.
Thanks
Steve | | | |
| SWD
Posts:0
| | 04/26/2007 11:12 AM |
| Thanks for the suggestions so far. I was thinking of writing the
computer name to AD when the users logon, having it held in AD would be useful
for a number of reasons, helpdesk staff could read it back through one
interface etc. Can you see any problems with this? If it was written to the DC
the user connected to I can’t see load being a problem.
Thanks
Steve
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Steven Wood
Sent: 26 April 2007 10:06
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Computer user last logged on?
Hi,
Is
the computer name a user last logged onto held in Active Directory somewhere? I
would like to extract this with a script if possible.
Thanks
Steve | | | |
| bdesmond
Posts:996
| | 04/26/2007 11:15 AM |
| Well you wouldn’t get any history which is usually the goal of
these things.
How would you secure the attribute? Give domain users write?
What’s to stop some goof from setting them all domainwide to something?
I guess I can’t tell whether you’re trying to achieve a security
goal or a supportability goal or?
If it’s just for the helpdesk why can’t the end user just open a
command prompt and type set computername for them and read it back? This is
what I have people do when I get stuck on end user support calls.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of Steven Wood
Sent: Thursday, April 26, 2007 11:12 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Computer user last logged on?
Thanks for the suggestions so far. I was thinking of writing the
computer name to AD when the users logon, having it held in AD would be useful
for a number of reasons, helpdesk staff could read it back through one
interface etc. Can you see any problems with this? If it was written to the DC
the user connected to I can’t see load being a problem.
Thanks
Steve
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Steven Wood
Sent: 26 April 2007 10:06
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Computer user last logged on?
Hi,
Is
the computer name a user last logged onto held in Active Directory somewhere? I
would like to extract this with a script if possible.
Thanks
Steve | | | |
| jitendrakalyankar
Posts:3
| | 04/26/2007 11:19 AM |
| Not sure if you looked at the WMI...you will get the current logged on user on that particular machine thru WMI. If you need some more information let me know....
-J
On 4/26/07, Brian Desmond wrote:
Well you wouldn't get any history which is usually the goal of these things.
How would you secure the attribute? Give domain users write? What's to stop some goof from setting them all domainwide to something?
I guess I can't tell whether you're trying to achieve a security goal or a supportability goal or?
If it's just for the helpdesk why can't the end user just open a command prompt and type set computername for them and read it back? This is what I have people do when I get stuck on end user support calls.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Steven WoodSent:
Thursday, April 26, 2007 11:12 AMTo: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Computer user last logged on?
Thanks for the suggestions so far. I was thinking of writing the computer name to AD when the users logon, having it held in AD would be useful for a number of reasons, helpdesk staff could read it back through one interface etc. Can you see any problems with this? If it was written to the DC the user connected to I can't see load being a problem.
Thanks
Steve
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Steven WoodSent:
26 April 2007 10:06To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Computer user last logged on?
Hi,
Is the computer name a user last logged onto held in Active Directory somewhere? I would like to extract this with a script if possible.
Thanks
Steve | | | |
| RichardKline
Posts:11
| | 04/26/2007 11:31 AM |
| WMI might be too limited for this
purpose:
Current logged in user isn't necessarily the one who
last logged in. It will return a blank (or null) if the machine is
sitting at the initial "Press Ctl-Alt-Del" login
display.
Is unavailable if the workstation is turned
off.
We record the current logged in user as a normal data
element in our WMI based inventory system. You'd be surprised how
many times it is returned up as a blank (or null). We remotely attach to
the machines once a week or so and record the results in SQL
server.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Jitendra
KalyankarSent: Thursday, April 26, 2007 11:19 AMTo:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Computer user
last logged on?
Not sure if you looked at the WMI...you will get the current logged on user
on that particular machine thru WMI. If you need some more information let me
know....
-J...
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
Steven WoodSent: 26 April 2007 10:06To: ActiveDir@mail.activedir.orgSubject: [ActiveDir]
Computer user last logged on?
Hi,
Is the computer name a user last
logged onto held in Active Directory somewhere? I would like to extract this
with a script if possible.
Thanks
Steve | | | |
| SWD
Posts:0
| | 04/26/2007 11:33 AM |
| I couldn’t secure the attribute, I would have to give the user
write access but I was thinking as they would be unable to see the attribute
value it would be unlikely they’d write anything different to it. I wasn’t
thinking of using it for security reasons just as a simple log of where
they had last logged on and when. It would be equally handy to for a computer
object to show who had logged onto it last. I think I’ll go with writing
it to a SQL table.
Thanks all for your comments.
Steve
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: 26 April 2007 16:16
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Computer user last logged on?
Well you wouldn’t get any
history which is usually the goal of these things.
How would you secure the attribute?
Give domain users write? What’s to stop some goof from setting them all
domainwide to something?
I guess I can’t tell whether
you’re trying to achieve a security goal or a supportability goal or?
If it’s just for the helpdesk
why can’t the end user just open a command prompt and type set
computername for them and read it back? This is what I have people do when I
get stuck on end user support calls.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Steven Wood
Sent: Thursday, April 26, 2007 11:12 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Computer user last logged on?
Thanks for the suggestions so far. I was thinking of writing the
computer name to AD when the users logon, having it held in AD would be useful
for a number of reasons, helpdesk staff could read it back through one
interface etc. Can you see any problems with this? If it was written to the DC
the user connected to I can’t see load being a problem.
Thanks
Steve
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Steven Wood
Sent: 26 April 2007 10:06
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Computer user last logged on?
Hi,
Is
the computer name a user last logged onto held in Active Directory somewhere? I
would like to extract this with a script if possible.
Thanks
Steve | | | |
| listmail
Posts:824
| | 04/26/2007 11:37 AM |
| @page Section1 {size: 612.0pt 792.0pt; margin: 72.0pt 72.0pt 72.0pt 72.0pt; }
P.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Times New Roman","serif"
}
LI.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Times New Roman","serif"
}
DIV.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Times New Roman","serif"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.EmailStyle17 {
COLOR: black; FONT-FAMILY: "Arial","sans-serif"; mso-style-type: personal-compose
}
.MsoChpDefault {
FONT-SIZE: 10pt; mso-style-type: export-only
}
DIV.Section1 {
page: Section1
}
First let's clarify terminology, I think you mean computer
the user last interactively logged into.This would cover RDP and local
logons. This would explicitly exclude runas (or cpau) use, network drives
connected with alternate credentials, things such as telnet, ftp, web use, and
other remote service interface use. For real life example here, it would mean
you should never see a Domain Admin ID listed as logging into anything but a
Domain Controller or a member server completely owned and operated by Domain
Admins (reason will be an exercise for the class).
Now with that clarification, no, AD doesn't keep this info.
It could if you really wanted it to but that would be something you put together
and then AD would be just one possible source of this info.
The basic solutions are
1. Scrape the event log with something and coalesce
that data.
2. Have the user's logon script write it somewhere.
Implementation of either can vary wildy with more or less
work having to be done on your part to make the magic happen. Understanding your
environments break points / weak links is critical to do this properly. Someone
with 20 users ( hey bob, where did you last
logon at?)will or very likely have a solution that is pretty different
from someone with 20,000 users (maybe single centralized system getting updates
or item #1 via scripts or agented or agentless monitoring) or someone with
200,000 users (serious distributed or fire and forget update type setup or item
#1 with more official event log scraping software like MOM (or other name of the
week), OVO, etc or if you are a really good large scale environment coder you
could come up with something).
As Brian has evangalized MOM/OpsMgr is a good valid
solution. I wouldn't buy it just for this but it is a good addon. If you have
any monitoring software This is probably the easiest for most people.
For #2 you have a variety of update mechanisms, some that I
have seen in production (not in any meaningful order)
A. Update file in a folder.
B. Add a file to a folder (so you can give just add
rights)
C. Tap a DB (such as MSSQL, Access, MySQL, AD,
ADAM,other LDAP store,etc)
D. Use someform of distributed
messagingsuchas WebSubmission, Email, Message Queuing package,
etc.
joe
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Steven
WoodSent: Thursday, April 26, 2007 5:06 AMTo:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Computer user last
logged on?
Hi,
Is the computer name
a user last logged onto held in Active Directory somewhere? I would like to
extract this with a script if possible.
Thanks
Steve | | | |
| amulnick
Posts:163
| | 04/26/2007 11:47 AM |
| You'd let somebody log on locally to a domain controller and would expect it? Not sure the value of having that information so it's really hard to tell if this is worth the effort. But as Brian mentioned, unless your scope is really small and not very busy, then you'd likely want to collect the information out of band. By that I mean, have the local host push it at some point after the logon process completes. This indicates an agent based approach that can withstand high-cpu, high disk usage, and other parameters that might be affected by collecting nice to have information (
i.e. information not needed for the daily tasks the end user is expected to perform. ) To add to joe's comments below, you'd want to create a toolset for the intended audience so that you can meet your goal of single tool access to the data. Note that not doing that would most likely have excluded your ability to write to the computer object anyway, but that's a moot point now.
It might be best to start thinking of the entire solution since you'll have to have a toolset for the consumers anyway. That might help to narrow your search for the ideal solution in your environment.
-alOn 4/26/07, joe wrote:
First let's clarify terminology, I think you mean computer
the user last interactively logged into.This would cover RDP and local
logons. This would explicitly exclude runas (or cpau) use, network drives
connected with alternate credentials, things such as telnet, ftp, web use, and
other remote service interface use. For real life example here, it would mean
you should never see a Domain Admin ID listed as logging into anything but a
Domain Controller or a member server completely owned and operated by Domain
Admins (reason will be an exercise for the class).
Now with that clarification, no, AD doesn't keep this info.
It could if you really wanted it to but that would be something you put together
and then AD would be just one possible source of this info.
The basic solutions are
1. Scrape the event log with something and coalesce
that data.
2. Have the user's logon script write it somewhere.
Implementation of either can vary wildy with more or less
work having to be done on your part to make the magic happen. Understanding your
environments break points / weak links is critical to do this properly. Someone
with 20 users ( hey bob, where did you last
logon at?)will or very likely have a solution that is pretty different
from someone with 20,000 users (maybe single centralized system getting updates
or item #1 via scripts or agented or agentless monitoring) or someone with
200,000 users (serious distributed or fire and forget update type setup or item
#1 with more official event log scraping software like MOM (or other name of the
week), OVO, etc or if you are a really good large scale environment coder you
could come up with something).
As Brian has evangalized MOM/OpsMgr is a good valid
solution. I wouldn't buy it just for this but it is a good addon. If you have
any monitoring software This is probably the easiest for most people.
For #2 you have a variety of update mechanisms, some that I
have seen in production (not in any meaningful order)
A. Update file in a folder.
B. Add a file to a folder (so you can give just add
rights)
C. Tap a DB (such as MSSQL, Access, MySQL, AD,
ADAM,other LDAP store,etc)
D. Use someform of distributed
messagingsuchas WebSubmission, Email, Message Queuing package,
etc.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Steven
WoodSent: Thursday, April 26, 2007 5:06 AMTo:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Computer user last
logged on?
Hi,
Is the computer name
a user last logged onto held in Active Directory somewhere? I would like to
extract this with a script if possible.
Thanks
Steve | | | |
|
|