Kaseya Community

Script for user/computer account last logon?

  • Has anyone developed a script that will report back a text file of accounts (user and or computer) last logon times? We would like to schedule a monthly/quarterly script that audits this so we can keep on top of accounts that may need to be disabled that clients have not told us about?

    Thanks! - Brock

    Legacy Forum Name: Script for user/computer account last logon?,
    Legacy Posted By Username: Brock
  • This is somthing I worked on a bit for my clients.

    Because the LastLogon attribute is not replicated among domain controllers, this will need to be run against each DC in your domain for accurate results. In the case of a single DC, this works like a charm.

    This is a simple VBScript that will enumerate all user accounts in a domain and their LastLogon date.

    Usage cscript lastlogon.vbs >


    Option Explicit

    Dim objRootDSE, strConfig, adoConnection, adoCommand, strQuery
    Dim adoRecordset, objDC
    Dim strDNSDomain, objShell, lngBiasKey, lngBias, k, arrstrDCs()
    Dim strDN, dtmDate, objDate, objList, strUser
    Dim strBase, strFilter, strAttributes, lngHigh, lngLow

    ' Use a dictionary object to track latest lastLogon for each user.
    Set objList = CreateObject("Scripting.Dictionary")
    objList.CompareMode = vbTextCompare

    ' Obtain local Time Zone bias from machine registry.
    Set objShell = CreateObject("Wscript.Shell")
    lngBiasKey = objShell.RegRead("HKLM\System\CurrentControlSet\Control\" _
    & "TimeZoneInformation\ActiveTimeBias")
    If (UCase(TypeName(lngBiasKey)) = "LONG") Then
    lngBias = lngBiasKey
    ElseIf (UCase(TypeName(lngBiasKey)) = "VARIANT()") Then
    lngBias = 0
    For k = 0 To UBound(lngBiasKey)
    lngBias = lngBias + (lngBiasKey(k) * 256^k)
    Next
    End If

    ' Determine configuration context and DNS domain from RootDSE object.
    Set objRootDSE = GetObject("LDAP://RootDSE")
    strConfig = objRootDSE.Get("configurationNamingContext")
    strDNSDomain = objRootDSE.Get("defaultNamingContext")

    ' Use ADO to search Active Directory for ObjectClass nTDSDSA.
    ' This will identify all Domain Controllers.
    Set adoCommand = CreateObject("ADODB.Command")
    Set adoConnection = CreateObject("ADODB.Connection")
    adoConnection.Provider = "ADsDSOObject"
    adoConnection.Open "Active Directory Provider"
    adoCommand.ActiveConnection = adoConnection

    strBase = ""
    strFilter = "(objectClass=nTDSDSA)"
    strAttributes = "AdsPath"
    strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"

    adoCommand.CommandText = strQuery
    adoCommand.Properties("Page Size") = 100
    adoCommand.Properties("Timeout") = 60
    adoCommand.Properties("Cache Results") = False

    Set adoRecordset = adoCommand.Execute

    ' Enumerate parent objects of class nTDSDSA. Save Domain Controller
    ' AdsPaths in dynamic array arrstrDCs.
    k = 0
    Do Until adoRecordset.EOF
    Set objDC = _
    GetObject(GetObject(adoRecordset.Fields("AdsPath").Value).Parent)
    ReDim Preserve arrstrDCs(k)
    arrstrDCs(k) = objDC.DNSHostName
    k = k + 1
    adoRecordset.MoveNext
    Loop
    adoRecordset.Close

    ' Retrieve lastLogon attribute for each user on each Domain Controller.
    For k = 0 To Ubound(arrstrDCs)
    strBase = ""
    strFilter = "(&(objectCategory=person)(objectClass=user))"
    strAttributes = "distinguishedName,lastLogon"
    strQuery = strBase & ";" & strFilter & ";" & strAttributes _
    & ";subtree"
    adoCommand.CommandText = strQuery
    On Error Resume Next
    Set adoRecordset = adoCommand.Execute
    If (Err.Number <> 0) Then
    On Error GoTo 0
    Wscript.Echo "Domain Controller not available: " & arrstrDCs(k)
    Else
    On Error GoTo 0
    Do Until adoRecordset.EOF
    strDN = adoRecordset.Fields("distinguishedName").Value
    On Error Resume Next
    Set objDate = adoRecordset.Fields("lastLogon").Value
    If (Err.Number <> 0) Then
    On Error GoTo 0
    dtmDate = #1/1/1601#
    Else
    On Error GoTo 0
    lngHigh = objDate.HighPart
    lngLow = objDate.LowPart
    If (lngLow
    lngHigh = lngHigh + 1
    End If
    If (lngHigh = 0) And (lngLow = 0 ) Then
    dtmDate = #1/1/1601#
    Else
    dtmDate = #1/1/1601# + (((lngHigh * (2 ^ 32)) _
    + lngLow)/600000000 - lngBias)/1440
    End If
    End If
    If (objList.Exists(strDN) = True) Then
    If (dtmDate > objList(strDN)) Then
    objList.Item(strDN) = dtmDate
    End If
    Else
    objList.Add strDN, dtmDate
    End If
    adoRecordset.MoveNext
    Loop
    adoRecordset.Close
    End If
    Next

    ' Output latest lastLogon date for each user.
    For Each strUser In objList.Keys
    Wscript.Echo strUser & " ; " & objList.Item(strUser)
    Next

    ' Clean up.
    adoConnection.Close
    Set objRootDSE = Nothing
    Set adoConnection = Nothing
    Set adoCommand = Nothing
    Set adoRecordset = Nothing
    Set objDC = Nothing
    Set objDate = Nothing
    Set objList = Nothing
    Set objShell = Nothing


    You can use this in a number of ways via Kaseya scripting. I hope this helps get you going!

    Yours Technically,

    -Justin Carter-
    -Teklogic Inc.-

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: Teklogic
  • In the interest of being thorough....

    This KScript takes the output of the above script and essentially writes it to the body of an e-mail and sends it to an address of your choosing.


    Script Name: Dump LastLogon Attribute to E-Mail
    Script Description: PLEASE NOTE: The attribute "LastLogon" is not replicated between Domain Controllers. This means that in a multi-site AD configuration, you will need to run this against all DCs in order to get appropriate results. Check the DC responsible for each site respectively.

    IF True
    THEN
    Get Variable
    Parameter 1 : 10
    Parameter 2 :
    Parameter 3 : AgentTmp
    OS Type : 0
    Get Variable
    Parameter 1 : 6
    Parameter 2 :
    Parameter 3 : MachineID
    OS Type : 0
    Write File
    Parameter 1 : #AgentTmp#\LastLogon.vbs
    Parameter 2 : VSASharedFiles\LastLogon.vbs
    OS Type : 0
    Write Script Log Entry
    Parameter 1 : Start: Dumping LastLogon entries...
    OS Type : 0
    Use Credential
    OS Type : 0
    Execute Shell Command
    Parameter 1 : cscript "#AgentTmp#\LastLogon.vbs" >> "#AgentTmp#\LastLogon.txt"
    Parameter 2 : 0
    OS Type : 0
    Write Script Log Entry
    Parameter 1 : Done: LastLogon Attributes dumped to #AgentTmp#\LastLogon.txt
    OS Type : 0
    Get Variable
    Parameter 1 : 1
    Parameter 2 : #AgentTmp#\LastLogon.txt
    Parameter 3 : LastLogon
    OS Type : 0
    Send Email
    Parameter 1 : Support@PleaseChangeMe.COM
    Parameter 2 : LastLogon Report on all AD users on #MachineID#
    Parameter 3 : #LastLogon#
    OS Type : 0
    Write Script Log Entry
    Parameter 1 : Complete: Script "Dump LastLogon Attributes to E-Mail" completed
    OS Type : 0
    ELSE



    This is the script I use for my clients. It assumes you have uploaded LastLogon.vbs to the VSASharedFIles DIrectory on your KServer. The output e-mail is a bit unformatted due to the way Kaseya handles varibles. Anyone who is even semi-technical should be able to read the output...

    Again, I hope this helps!

    Technically,

    -Justin Carter-
    -Teklogic Inc.-

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: Teklogic
  • If there is a K agent on each machine, then you can write a script to pull out this value of the registry: HKLM\Software\Microsoft\Windows NT\winlogon\defaultusername

    Its not as effective as Teklogic's script, but for the quickest way to find the last person to have logged on to a windows workstation this works.

    It can also be scripted throughout a domain if there isnt a K agent on each machine, with psexec \\* and piping the output to a text file for capture.

    Hope this helps,
    Ryan

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: ryan.odwyer
  • Hello,

    please can you tell me what the 10 6 and 1 refer to in your script:

    Get Variable
    Parameter 1 : 10
    Parameter 2 :
    Parameter 3 : AgentTmp
    OS Type : 0
    Get Variable
    Parameter 1 : 6
    Parameter 2 :
    Parameter 3 : MachineID
    OS Type : 0
    Get Variable
    Parameter 1 : 1
    Parameter 2 : #AgentTmp#\LastLogon.txt
    Parameter 3 : LastLogon
    OS Type : 0

    Does it mean that you count 10 steps down on the drop down list of select the type of value to get from the agent. If this is the case then it would be 'File Version Number'. If I choose file version number then the script fails on step 1.

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: jonnyrobertson
  • It refers to a function in the list, not necessarily position.

    You arent supposed to read the script from the forum, instead you use the import function in the script are of your K server, and copy and paste the script from the forum

    Hope this helps,
    Ryan

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: ryan.odwyer
  • thank you very helpful.

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: jonnyrobertson
  • It is failing on step 5 (user credentials). Any suggestions as to why?

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: trnetwork
  • Hey,

    Thats a nice script. Works like a charm for me.

    One question though, can we track what machine a person last logged into via its Machine Name?

    Cheers,

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: LANWorx
  • Havent checked this thread in awhile:

    It is failing on step 5 (user credentials). Any suggestions as to why?


    The obvious question is do you have the Credentials set properly for this user? I suggest testing the credentials for the failing agent.

    One question though, can we track what machine a person last logged into via its Machine Name?


    I suppose it is possible the VBScript example would need to be adjusted to query that information. The script uses basic LDAP lookups. So, it could be done, but thats for another thread - another time.

    Cheers,

    -Justin Carter-
    -Teklogic Inc-

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: Teklogic