This is a UNIX or Mainframe mindset. Logons are a more nebulous concept in Windows. There isn't anything keeping a running tally of who has logged into the domain and who has logged out. Doing something like that is difficult at best in a distributed system like the Windows domain structure is. Also consider things like hibernation and such where you are in fact actually still logged on with credentials but not connected to anything.
You actually do an interactive logon to a workstation which may or may not be a domain logon, then anytime you touch a resource a type of logon occurs with that resource as well whether it is the passing of a kerberos cert to say you are ok to actually passing full credentials. Also a person could actually be "logged on" using resources with a domain ID without actually being logged on interactively with their domain ID. Take for instance my laptop that I bring to the office, I log on to a local ID on the laptop but when I attach to various resources, I connect as an ID to each that has the access rights that I require. When a person logs on interactively to a domain and reconnects to multiple resources such as file and print servers or other resources that use windows authentication you will often see multiple logon events in the Domain Controllers event log for them. That helps illustrate the authentication scheme I am describing. To see who is connected to any given resources you can do a session or file enumeration. Session enumeration will show you who has current NetBIOS pipes to a server or client (aka sessions). A file enumeration will show you who has files open on a specific server or client. If they have files open they will also have a session open so if you are looking to see who is actually using a resource (i.e. logged into it whether with credentials or anonymously) you usually do a session enumeration. Session enumerations can be done with server manager or the computer management mmc or NET SESSIONS command or if you want a simple remote command line method you can check out netsess on www.joeware.net on the free win32 tools page. You also have interactive logons like through TS. You can check sysinternals for tools that will show you all interactive logons to a single machine. You can also do it in a semi-reasonable poor man's way by looking at the net bios name table for a given machine nbtstat -a machinename and look for all of the messenger service records <03>. About the closest/simplest I can think of to get you to kind of what I think you are looking for would be to do a session enumeration on all of your DC's or any file servers that all people always connect to. Note that a runas or net use connection to a given machine without a corresponding interactive logon will most likely not spawn a session on a DC. Here is an example of netsess run against one of my test DC's at home: F:\Dev\cpp\NetSess>netsess \\wserver1 NetSess V01.01.00cpp Joe Richards ([EMAIL PROTECTED]) October 2002 Enumerating Machine: \\wserver1 Client User Name Time Idle Time ------------------------------------------------------------------------ - \\MAIN JOE 128:41:46 000:00:00 \\192.168.0.1 WSERVER1$ 000:00:26 000:00:00 Total of 2 entries enumerated F:\Dev\cpp\NetSess> -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard Sumilang Sent: Tuesday, July 29, 2003 2:29 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Users Logged In How do I know what users are currently logged in? They are all logging into the domain into active directory but I don't know where to see the users that are currently logged and which ones aren't. Secondly would it show if they are idle? List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
