unidentifed computer on network - how do I find the user 1

[danm65]

I have an unidentified computer on the network. The tech that setup the computers does not know where that one was setup. Is there a way that you can tell who is logged on? If I can find out the logged on username, I can find the computer. Thanks !

 

[markdmac]

You can use this script to find out. Copy the code and paste to a text file. Name the file with a vbs extension.

'==========================================================================
'
' NAME: WhoIsLoggedInThere.vbs
'
' AUTHOR: Mark D. MacLachlan , The Spider's Parlor
' URL: [URL unfurl="true"]http://www.thespidersparlor.com[/URL]
' DATE  : 3/29/2005
'
' COMMENT: Prompts for a PC name and returns currently logged in user
'
'==========================================================================

strComputer = InputBox("Computer to Query for Logged In User","Search where?")

On Error Resume Next

Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colItems = objWMIService.ExecQuery("Select * from Win32_ComputerSystem",,48)
For Each objItem in colItems
    Wscript.Echo "UserName: " & objItem.UserName & " is logged in at computer " & strComputer
Next

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[danm65]

Mark, thanks that a great script. I didn't know you could write things that would reflect information like that. Being a programmer I am going to look at more things I can do with it.

The problem is that for that machine it didn't return anything. It is so strange cause I can ping the machine. Active directory doesn't know of the machine either. Do you now of a way that I can force that machine off the system?

thanks

 

[markdmac]

Try using the IP address instead of the machine name.

So if I get what you are saying, this machine is just plugged in some place but not a member of the domain? Do you use static or dynamic IP addresses? If you use DHCP, have it be intergrated with AD and deny giving addresses to any machine that does not authenticate.

If you think you don't have an intruder and will get cooperation, you could also try a NET SEND command to send a message to the machine for the person to identify themselves.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[danm65]

Thanks for the info. I will do both of your suggestions. Take care

 

[LiverpoolFan]

If you know the machine name/IP Address, you can try sending a scheduled job to it.

Or, you can edit the registry of the PC(assuming you can attach to it) and use the Run key to run the script at logon (HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run).

A script as simple as:

echo.%username% >c:\testusername.txt
copy c:\testusername.txt \\<yourservername>\<yoursharename>

Will create a text file called testusername.txt containing the username that is logged on. If you get the desired affect (ie a user account) you can then disable that account and wait for a call (if it is a proper user).

If you have a general logon script that all accounts use, you could add the above lines in if you wish. If this works, you could then do:

echo.%username% >c:\%computername%%username%logon.txt
copy c:\%computername%%username%logon.txt \\<yourservername>\<yoursharename>

This would create a text file on drive C: of the PC called the PCnameUsernamelogon.txt and copy it to your specified location.

The only problem with that solution is that you would get a lot of results, but if you know the name of the PC, you could just do a search.

Anyway, hope that helps, but I am assuming alot in some of the suggestions (for instance, that you can connect to the PC in question).

 

[danm65]

That is the problem. The pc will not let me into any part of the machine.

 

[LiverpoolFan]

You could try the second suggestion with the logon scripts, or if you are feeling brave you can try adding the computer name to the AD and next time it reboots try attaching to it.

 

[danm65]

I did add that machine to the AD, just waiting for them to reboot now. I will try your second suggection too. Thanks
I wish that one of these Extreme routers would tell me what port they were using.

 

[nickpark]

Will

nbtstat -A <ip addr>

not work?

 

[danm65]

Yea that is giving me the name of the machine and the group. The group shows our domain name.

 

[LiverpoolFan]

Do you know what the local administrator account and password should be?

If so (and you do not want to wait for the PC to reboot), do start - run and type \\<computername>\c$, this should make it ask you for username and password.

Username = <Computername>\administrator (or whatever the local account would be)
Password = local admin password

Again, that is assuming this has not already been done.

 

[LiverpoolFan]

Sorry, forgot to add, this would then allow you to view the Event Logs and create the scheduled tasks as shown above.

 

[bazzert]

Have you tried something like VNC and see if you can pick up the desktop. That way you can send a ctrl-alt-del and see who is logged on to it.

If VNC won't pick up the machine its a good chance its running XP with the firewall enabled.

 

[danm65]

Well you would have to have vnc running on the client machine already. We have remote software but it says I do not have authority. I am the Admin though.

 

[bazzert]

If you have VNC on your server and the machine is part of the domain as you say it should be listed as a host of that domain.

You should then be able to connect to the host.

 

[markdmac]

One other thought since you mentioned that the machine is a member of a workgroup, this could be a Windows 98 box.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark