How to find out which user last logged onto a PC (PC has gone missing)

[bodminman]

Hi there,

We have had a PC go missing from a room and I'd like to find out who was the last user to log on to it.

How can I do this using the server event viewer (or anything else)? I have the IP/pc name but going through the event logs will take hours. Is there a tool I could use or a slicker method for detecting activity between the server and this particular PC?

Thanks

[Patrickv]

If it was the PC itself then we could use this cool program that must be execute from command prompt. I keep forgetting the name of that one. However, you are stuck with event viewer unless you installed logging software on your network. I have done this sort of thing before and can work on very small scale and when all computers are off. Maybe restrict the time-frame will help narrow down and what type of event ID you are looking for. Might I suggest you bolt down the PC's to the desk. I have helped someone in the past with that. Thats the way to stop future thefts.

[tech_guy]

Unless you use something like Policy Central, etc as Patrickv has said you're stuffed if you can't find anything in the event logs (printing by the user, etc). We usually track down the culprits by dragging all the suspects in until one of them either confesses or dobs on the one that was guilty.

[pete]

Unless you're already managing your event logs (with something like Splunk, Ossec etc) I'm afraid you're stuck with EventCombMT.exe (google) which is better than manually filtering event logs.

EventCombMT.exe - A Good Tool To Collect Event Logs - Nuo Yan (still works on 2008R2, just be aware of new security events)

Take note of: Description of security events in Windows Vista and in Windows Server 2008

[rad]

How do you know the person last logged on was the person that nicked it?

[purkle_turkle]

This any good?

Code:

Const HKEY_LOCAL_MACHINE = &H80000002

strComputer = "."
 
Set objRegistry = GetObject("winmgmts:\\" & strComputer & "\root\default:StdRegProv")
 
strKeyPath = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon"
strValueName = "DefaultUserName"

objRegistry.GetStringValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName, strValue

Wscript.Echo strValue

Source =
Hey, Scripting Guy! How Can I Get the Name of the Last User to Log on to a Computer? - Hey, Scripting Guy! Blog - Site Home - TechNet Blogs

[bodminman]

How do you know the person last logged on was the person that nicked it?

Fact finding!

We don't but at least well know when it was last used so that we can be more accurate with the timeframe in which it was taken. Also we can then see who was teaching in the room at that point as they are responsible for opening/locking it up.

People who are using the room are also responsible for making sure everything is in order before they leave.

[purkle_turkle]

I find this dulo.bat useful as well for curently logged on users... you just need PSTools installed on your workstation and you can pipe the bat > to a log file

Code:

@echo off
setlocal
for /f "Tokens=1" %%c in ('net view /domain:"%USERDOMAIN%"^|Findstr /L /C:"\\"') do (
 for /f "Tokens=*" %%u in ('PsLoggedOn -L %%c^|find /i "%USERDOMAIN%\"') do (
  call :report %%c "%%u"
 )
)
endlocal
goto :EOF
:report
set work=%1
set comp=%work:~2%
set user=%2
set user=%user:"=%
call set user=%%user:*%USERDOMAIN%\=%%
@echo %comp% %user%

Source =
http://www.windowsitpro.com/article/...ain-computers-

[purkle_turkle]

Sorry bodminman I did not read your question properly - you don't have the client to run the command on. Doh

[bodminman]

Sorry bodminman I did not read your question properly - you don't have the client to run the command on. Doh

LOL - No probs! Although I did think you may have been taking the pi$$ for a second there.

[mac_shinobi]

On your server through the security event viewer section

Tracking Logon and Logoff Activity in Windows 2000

Event ID 528 ??

[themightymrp]

We have a REALLY old kix script that runs at login but does the job. First a logon .bat file runs this command:

Code:

%0\..\Kix32.exe \\servername\share\logthem.kix $usergroup="student"

And then the logthem.kix file looks like this:

Code:

Gosub "LOGTHEM"
Exit

:LOGTHEM

$logfile = "\\servername\share\logs\" + @MDAYNO +"."+ @MONTHNO +"."+ @YEAR +".log"
$logentry = "[" + @time + "]  " + 
            $usergroup + SubStr( "                ", 1, 12 - Len( $usergroup ) ) +
            @UserID    + SubStr( "                ", 1, 16 - Len( @UserID ) ) +
            @WKSTA     + SubStr( "                ", 1, 16 - Len( @WKSTA ) ) +
            "(" +
            Val( SubStr( @IPADDRESS0, 1, 3) ) + "." +
            Val( SubStr( @IPADDRESS0, 5, 3) ) + "." +
            Val( SubStr( @IPADDRESS0, 9, 3) ) + "." +
            Val( SubStr( @IPADDRESS0, 13, 3) ) + 
            ") " + 
            Chr( 13 ) + Chr( 10 )

$ret = Open( 1, $logfile, 5 )
If $ret <> 0
  ? ""
Else
  $ret = WriteLine( 1, $logentry )
EndIf

Return

This logs the time, user catagory (replace with $usergroup="staff"), username, machine name and IP address. It creates a fresh text file each day based on the date i.e. 3.2.2012.log

[JJonas]

adding this to a logon script is handy - but no use to you now

echo %date% %time% %computername% %username% >>\\yourserver\logon$\logons.txt