Is it possible to remotely check (API) which users are logged in on NT/W2k domain ?


B

Bonny Gijzen

Hi,


I want to write an app, which periodically asks the NT domain controller
(w2k also) which users are logged on.
Is this possible at all?
Can anybody point me to the correct MSDN chapter?
(I have been searching, but can't find anything for what I need)


Thanks in advance,


Bonny Gijzen
Holland
 
Ad

Advertisements

J

Joe Richards [MVP]

The concept of logon is not the same as it is in UNIX or Mainframes. You don't necessarily have a hard connection to a
machine. It is better to think of the domain controllers as authenticating you versus logging you in. When a person logs
on to a PC, depending on how many resources on different servers they have the domain controller could authenticate them
multiple times, once for each different server they have to touch.

So when you look at a Domain Controller, you can look through the event log to see who has been authenticated (as long
as auditing is enabled) but it won't tell you who is currently still online. Also you will usually see multiple
authentications right together for the same person. If you want to know who has a hard connection to a domain controller
on the spot you can enumerate the netbios sessions open the domain controller as that will tell you who currently has a
connection to the DC. However note that people could be "logged on" that don't have hard connections to the DC currently
because they timed out.

The event log stuff can be found at
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/debug/base/readeventlog.asp which is the link for the
ReadEventLog API call.

The info for session enumeration can be found at
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netmgmt/netmgmt/netsessionenum.asp - NetSessionEnum.

To see logon sessions on a specific machine (say a workstation) check out
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/lsaenumeratelogonsessions.asp -
LsaEnumerateLogonSessions
 
B

Bonny Gijzen

Hi,

Thanks for the reply.
Yes, I understand what you mean. So what I would want isn't really possible.
I thought that the DC would hold a some list of logged in (authenticated)
and logged off users, but I guess it doesn't :(

Thanks

Bonny


Joe Richards said:
The concept of logon is not the same as it is in UNIX or Mainframes. You
don't necessarily have a hard connection to a
machine. It is better to think of the domain controllers as authenticating
you versus logging you in. When a person logs
on to a PC, depending on how many resources on different servers they have
the domain controller could authenticate them
multiple times, once for each different server they have to touch.

So when you look at a Domain Controller, you can look through the event
log to see who has been authenticated (as long
as auditing is enabled) but it won't tell you who is currently still
online. Also you will usually see multiple
authentications right together for the same person. If you want to know
who has a hard connection to a domain controller
on the spot you can enumerate the netbios sessions open the domain
controller as that will tell you who currently has a
connection to the DC. However note that people could be "logged on" that
don't have hard connections to the DC currently
because they timed out.

The event log stuff can be found at
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/debug/base/
readeventlog.asp which is the link for the
ReadEventLog API call.

The info for session enumeration can be found at
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netmgmt/net
mgmt/netsessionenum.asp - NetSessionEnum.
To see logon sessions on a specific machine (say a workstation) check out
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/se
curity/lsaenumeratelogonsessions.asp -
 
Ad

Advertisements

J

Joe Richards [MVP]

Nope. Consider the situation of a user who logs on with a laptop and then hibernates... is she logged on or off? Then
when she comes back if it is less than the kerberos ticket time she won't necessarily have to authenticate again yet.

--
Joe Richards
www.joeware.net
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads


Top