Discussion in 'Scripting' started by Jmnts, Oct 17, 2008.

  1. Jmnts

    Jmnts Guest

    Hi everyone,

    I'm starting to using (WMI) I downloaded the WMI code creator and
    scriptomatic and I used the Win32_UserAccount, but this doesn't give me the
    last time that they logged on?

    I'm starting going crazy with this... :(

    For example I also nee to get software installed on those servers, again I
    used scriptomatic to create a script with Win32_Product, guess what?? Not all
    installed software is returned? Why? I did a test on a server with SQL
    installed and the SQL wasn't listed?

    Thank you all.
    Jmnts, Oct 17, 2008
    1. Advertisements

  2. Jmnts

    Jmnts Guest

    Anyone with WMI script solution for this?
    Jmnts, Oct 18, 2008
    1. Advertisements

  3. Jmnts

    Marcin Guest

    Instances of Win32_Product represent software that have been installed via
    Windows Installer (which does not necessarily correspond to all locally
    installed programs). While I'd expect MS SQL Server to fall in this
    category, I'm not sure which property you were checking, which version of
    SQL Server you are referring to, and how you installed it.
    As far as the last logon time, none of the properties of Win32_UserAccount
    class contain the info you are looking for. One way to get an estimate
    (although this is likely give you the logoff - rather than logon - time, is
    to check the date of locally cached profiles). The following script will
    give you this info:

    On Error Resume Next

    Const HKEY_LOCAL_MACHINE = &H80000002
    sPCName = "Target_computer"
    sValueName = "ProfileImagePath"

    Set oFSO = CreateObject("Scripting.FileSystemObject")
    Set oRegistry = GetObject("winmgmts:\\" & sPCName &
    sKeyPath = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList"
    oRegistry.EnumKey HKEY_LOCAL_MACHINE, sKeyPath, aSubkeys

    For Each oSubkey In aSubkeys

    sSubPath = sKeyPath & "\" & oSubkey
    oRegistry.GetExpandedStringValue HKEY_LOCAL_MACHINE, sSubPath, sValueName,
    sProfileName = Right(sValue, Len(sValue) - InStrRev(sValue, "\"))

    Set oFolder = oFSO.GetFolder("\\" & sPCName & "\" & Replace(sValue, ":",
    "$", 1))
    sModifiedDate = oFolder.DateLastModified
    WScript.Echo sValue & vbTab & sProfileName & vbTab & sModifiedDate


    Alternatively, you might be able to lookup this info in Active Directory
    (assuming that you are referring to domain accounts)...

    Marcin, Oct 22, 2008
  4. To find the last time users logged into the domain you must query AD. I have
    example VBScript programs linked here:

    http://www.rlmueller.net/Last Logon.htm

    Use LastLogonTimeStamp.vbs if your domain is at Windows Server 2003
    functional level. Otherwise you can always use LastLogon.vbs.
    Richard Mueller [MVP], Oct 22, 2008
  5. Jmnts

    Al Dunbar Guest

    I think what he wants is the user's last logon on that particular
    workstation, not the user's last logon anywhere in the domain.

    Al Dunbar, Oct 23, 2008
  6. Jmnts

    J Ford Guest

    Good cmd line util

    :/>netusers \\machinename /h

    That or regarding WMI, enumerate the ProfileImagePath found under
    "HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList", then pass
    that to a function to using Win32_OperatingSystem to get the LastModified
    date of the ntuser.dat.
    J Ford, Oct 23, 2008
  7. Jmnts

    J Ford Guest

    Well shoot, if I'd of read Marcin's replay... that's it :)
    J Ford, Oct 23, 2008
  8. Jmnts

    Jmnts Guest

    I everyone, first of all let me thank you forall responses.

    I Richard, in fact I need a script that I should run against several servers
    (member servers and not DCs) and check who logged in that server and when was
    the last time that they did that (I need to check this for local accounts and
    domain accounts)

    For example:
    JSmith - Last Logon 10-10-2008
    Domain\Bill - LastLogon 11-10-2008

    Hi Martin,

    I tried your script and it works, however the last logon dates are NOT
    correct, I think that getting the profile lastlogon using the changed date of
    the profile won't work vedry well.

    Thank you all.
    Jmnts, Oct 27, 2008
  9. The WMI Win32_UserAccount class is not appropriate here. It would be
    inefficient to access domain accounts with it, and it exposes very few
    attributes. For example lastLogon is not exposed. It is used mostly for
    limited purposes for local accounts.

    Local accounts are stored in the SAM account database on the local computer
    (whether member server, DC, domain joined client, or standalone
    workstation). You use the WinNT provider to access information on local user
    objects. Domain users are stored in Active Directory, a distributed
    database. In most cases you use the LDAP provider and connect to the first
    (nearest) Domain Controller that responds to your request. Most information
    is identical no matter which DC is contacted. One of the exceptions is the
    lastLogon attribute, which is not replicated.

    To retrieve lastLogin for all local users in a computer (member server or
    whatever) the code could be:
    Option Explicit
    Dim strComputer, objComputer, objUser, dtmLastLogin

    ' Specify the computer.
    ' This can be remote (if you have permissions).
    strComputer = "MyServer"

    ' Bind to the computer object.
    Set objComputer = GetObject("WinNT://" & strComputer)

    ' Filter on objects of class user.
    objComputer.Filter = Array("user")

    ' Enumerate all local users.
    For Each objUser In objComputer
    On Error Resume Next
    dtmLastLogin = objUser.lastLogin
    If (Err.Number <> 0) Then
    On Error GoTo 0
    dtmLastLogin = "Never"
    End If
    On Error GoTo 0
    Wscript.Echo objUser.Name & "; " & dtmLastLogin
    Note the WinNT provider exposes the attribute with the name lastLogin, not
    lastLogon. Also, there is no issue like replication to complicate the
    situation, and the value is a date/time (so no conversion is required). The
    only quirk is that an error is raised if the user has never logged in. This
    error is trapped and handled in my example above.

    For domain accounts it is best to use ADO to retrieve the names of all users
    and the value of either lastLogon or (if the domain is at Windows Server
    2003 functional level) lastLogonTimeStamp. Both attributes are Integer8 (a
    64-bit number representing a date) so they must be converted to a date/time
    in the current time zone (or left in UTC). Also, the lastLogon attribute is
    not replicated, so you must specifically query every DC in the domain to get
    the largest (latest) value for each user. I previously linked example
    VBScript programs to retrieve lastLogon or lastLogonTimeStamp for all users
    in the domain.

    It makes little sense to code a program to retrieve values for both local
    and domain users. The information on domain users would be identical on
    every computer (such as member servers). A more important concept is that AD
    does not know or save any information on which domain users login to which
    computers. AD knows nothing of local users. The local SAM account database
    knows nothing about domain users. You might attempt to determine which
    domain users have logged into a computer by searching local profiles, but on
    the newer clients you should not have permission to view this information.

    If you need to know which users login to a computer (such as a member
    server), one solution would be a logon script that logs computer name, user
    name, and date/time to a shared log file. I have an example linked here:


    This would only apply to domain users, but a similar local logon script
    could be written. Another issue is that perhaps you should not allow users
    (except the Administrator user) to login locally to a member server.
    Richard Mueller [MVP], Oct 28, 2008
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.