Previous Logon Question
Mike Chia
Does anyone know if there is any script or ways to pop up a window
to show user's last logon time before they sign in to the W2K network?
The reason I want to do this is a lot of users in my facility are
complaining that their settings have been changed overnight, and they
want to make sure there is no one logon over night without their
acknowledgement. Any help is greatly appreciated. Thanks
Regards,
Mike Chia
Mark V
news:623c6dd1.02121...@posting.google.com:
Pardon me for saying so, but if more than one person is using the
same logon account, you have a much more serious security problem to
deal with first within your organization.
To answer your question though, I don't know of any way to do that
from the local workstation. Others may have an idea.
At the server you could script something that cycles through all the
domain accounts and retrieves the Last Logon time. Perhaps running
it early in the am and looking for a time within a range (eg 10pm -
6am) or some such.
Or just setting auditing on for authenticated domain logon and the
records will be in the Event logs.
No other ideas here at the moment.
Bill Stewart
> Does anyone know if there is any script or ways to pop up a window to
> show user's last logon time before they sign in to the W2K network? The
> reason I want to do this is a lot of users in my facility are complaining
> that their settings have been changed overnight, and they want to make
> sure there is no one logon over night without their acknowledgement.
I wrote a short executable called truelast.exe that does this by cycling
through all logon servers and obtaining the latest logon time. It uses the
NetServerEnum and NetUserGetInfo Win32 APIs to get the information.
Presumably these APIs work reliably on a Windows 2000 domain, but I have
not tested it. Also, these two APIs only exist on NT 4 and later, so the
program won't work on Win9x/Me. It outputs like the following:
Last logon for [username] was from [servername] on [date and time]
You can get it here:
http://mywebpages.comcast.net/stewartb/files/truelast.zip
Michael Bednarek
<bste...@iname.no_spam.com> wrote in
microsoft.public.win2000.cmdprompt.admin:
But if user Jane runs truelast during her login, it would show the
login time of this very session, no?
I suspect the only way of achieving what Mike Chia wants is to rewrite
or hook into the Windows login process (GINA?).
Or all users could log into a common account which will ask them for
their username, run truelast for that, log out, and then users log in
to their proper account. Very messy.
--
Michael Bednarek, IT Manager, Tactical Global Management
Waterfront Pl, Brisbane 4000, Australia. "POST NO BILLS"
http://mcmbednarek.tripod.com/
Marty List
Or a third option would be to record all logins in some sort of database or
file which the login script queries for the previous login. This is not
simple if you want it robust, but it's not real difficult. I've done
something similar using KiXtart.
"Michael Bednarek" <m...@tgm.com.au> wrote in message
news:ru1dvu8vgl9rbiqde...@4ax.com...
Harry Bates
was just a batch file. Now it is stright ini file driven VB, but back then
we needed to show last logon times for US DoD requirements on our classified
side of our environment. Bill, The the executable you mention if not logging
the time\date somewhere must be showing you the very session that you logged
into if you are on a NT4 domain, but if on NT5 AD, there are 2 last logon
recordings. One is the session you are on and the other is the previous
session. Either way you have to pull the info from NetUserGetInfo in seconds
from 1970 in programming. To do this successfully in NT4, you MUST log the
info to a file or database in "NET USER" command or programatically via
NetUserGetInfo. The one stipulation is that for some reason they changed the
line numbers in NT5 so you must test for NT4 or NT5 prior to this and
redirect accordingly. For this Jerry coded a cmd script here:
http://www.jsiinc.com/subg/tip3400/rh3437.htm . You could use my util to
get the OS version portion located here:
http://www.jsiinc.com/subi/tip4400/rh4445.htm . Another thing to remember in
NT5+ is that scripts by default run minimized. You will have to specify
this in Group Policy or an alternative is to START /NORMAL a second batch
file to make sure that it is visible to the user.
-Harry Bates
Lockheed-Martin
"Marty List" <Bill....@sun.com> wrote in message
news:utqQzULoCHA.2224@TK2MSFTNGP09...
Harry Bates
NetServerEnum necessaryin your util? In NT4 the only writable DC is the PDC
via an admin or user. Doesn't this also hold true for writing the last logon
time seconds or is this considered an internal function that truly does
synchronize amongst the other DCs instead of just overwriting with overuled
newer PDC info? Would poling the PDC of the domain achieve the same thing
instead of having to contact all DCs? I am not sure on this but I will look
into it. If you are sure the please let me know and save me the hassle of
researching. If it is the way you specified, and the BDCs also were able to
write this info, then instead of going through the hassle of poling all of
the DCs via NetServerEnum again, just use environ$("LOGONSERVER") because
that will definately be the server with the latest info. Just a thought. And
yes, all of the functions of NetUserGetInfo I have found to work flawless in
NT5 AD also.
-Harry Bates
Lockheed-Martin
"Harry Bates" <harry...@NOSPAMlmco.com> wrote in message
news:Og#$KYMoCHA.2440@TK2MSFTNGP11...
Bill Stewart
> But if user Jane runs truelast during her login, it would show the login
> time of this very session, no?
You are correct...which means that truelast is not suitable for returning
the previous logon for the currently logged on user. Oops. :-)
Bill Stewart
> Bill, as a side question that doesn't pertain to cmd scripting, is
> NetServerEnum necessaryin your util?
Yes, because (at least in an NT4 domain, and I assume the same in a 2K
domain also) the last logon time for a user is updated independently on
each DC. Per the Win32 API documentation about USER_INFO_2:
usri2_last_logon
Specifies when the last logon occurred. This value is stored as the
number of seconds elapsed since 00:00:00, January 1, 1970. This member is
ignored in NetUserAdd and NetUserSetInfo calls. This member is maintained
separately on each Backup Domain Controller (BDC) in the domain. To get
an accurate value, each BDC in the domain must be queried, and the
largest value is used.
Harry Bates
util was modified. Situation: If the domain had more than one DC, and you
took the second largest time in seconds instead of the first largest hoping
that a sync did not happen at the exact time you logged in. Then it would
show the true previous logon time.
-Harry Bates
Lockheed-Martin
"Bill Stewart" <bste...@iname.no_spam.com> wrote in message
news:ui9On#SoCHA.2208@TK2MSFTNGP12...
Bill Stewart
> Your program doesn't work now but it would in certain circumstances if
> your util was modified. Situation: If the domain had more than one DC,
> and you took the second largest time in seconds instead of the first
> largest hoping that a sync did not happen at the exact time you logged
> in. Then it would show the true previous logon time.
I don't think this will work, because the last logon time is kept
independently on each DC; e.g. the last logon time is not replicated from
the BDCs to the PDC in an NT4 domain.
One suggestion is to write a script or application that would grab the
logon events from the security logs of all the DCs, store it somewhere, and
use that to display a logon time.
Harry Bates
Best bet, just log it to a file or database like I do at work. It always
works fine.
--
-Harry Bates
Lockheed-Martin
"Bill Stewart" <bste...@iname.no_spam.com> wrote in message
news:eeG0iDioCHA.1952@TK2MSFTNGP11...
Al Dunbar
"Mike Chia" <mike...@hotmail.com> wrote in message
news:623c6dd1.02121...@posting.google.com...
> Hi All,
> Does anyone know if there is any script or ways to pop up a window
> to show user's last logon time before they sign in to the W2K network?
You elicited some pretty enlightening comments with your post. But nobody
seems to have commented directly on the critical phrase "... *BEFORE* they
sign in ...". IMHO, before a person signs in, the server cannot possibly
know who they are. If it did know this, there would be no need for the
standard login process. And if more users realized this simple fact, fewer
of them would ask me: "so why can't you figure out who it is that has been
breaking in to/trying to break in to - my account?" - ;-)
Further to this, while a workstation is not logged in, I don't want it
capable of giving out ANY information of any sort, whether it be corporate
data, a list of usernames, or the date of the last login.
> The reason I want to do this is a lot of users in my facility are
> complaining that their settings have been changed overnight, and they
> want to make sure there is no one logon over night without their
> acknowledgement. Any help is greatly appreciated. Thanks
Well, you *could* just do something like:
echo.Account %username% has not been used since you last logged in.
If you were to do this, I bet that *some* people would thank you. Those that
realized the lack of content it conveyed could simply be told that the code
was not quite complete yet...
In our environment our logon script logs every login into a text file on our
server with date, time, username, workstation name, and a few other things.
Certainly I could fake this by adding or deleting entries, but I have rarely
needed to use it to prove anything to anyone else. Of course, those login
scripts only run when they login at my particular facility.
I have played with vbscripts that will poll all of the DC's in our AD for
this kind of information, but I would not want to factor that into our login
scripts. It would be better, imho, to develop a script like that and run it
on an hourly basis for a week or two, or until you get a complaint. You
could then explain the unlikelihood of an undetected overnight login by
someone else to the user.
Alternately, you could explain that, if they change their password while
nobody is in the room, avoid writing it down or saying it out loud, and etc.
then it will be as impossible as possible for someone to be able to login to
their account.
Hey, here is an idea that came to me in a flash! write a logoff script that
espires their password! I don't know if a regular user has the priv to
change this directly - perhaps not. If someone else is able to login (i.e.
because they know the old password), they will have to change it in their
ilicit session. When the actual user goes to log in the next time, he will
be unable to, because he will not know what the phantom user changed it to.
Leave that one running for a week and your users will beg you to turn it
off.
/Al
Al Dunbar
And highly suspect from a security point of view - thereby subverting the
original intent of the question.
/Al
Bill Stewart
> Unfortunately for events the user would have to have rights. Best bet,
> just log it to a file or database like I do at work. It always works
> fine.
Guess I wasn't too clear...the script could run with administrator
privileges and store the info in a data file. The user could then have read
access to the data. No need for the user to have rights to have read rights
to a DCs security log.