Hey, Scripting Guy! How can I count the number of times a user has logged on to a computer?
— DE
Hey, DE. How can you count the number of times a user has logged on to a computer? Good question and, ultimately, the answer might be: you can’t. But let’s at least explore some possible solutions and see if any of them will help.
First of all, let’s draw a distinction between logging on to a computer and logging on to a domain. If you’re running Active Directory, it’s possible to determine the number of times a user has logged on to the domain; that’s because the user account object includes a property – LogonCount – that keeps track of this very thing.
The one catch here is that the LogonCount property is not replicated between domain controllers. Does that matter? Well, if you have only one domain controller then, no, it doesn’t matter at all. If you have more than one domain controller, however, you’ll need to bind to each of these computers, retrieve the logon count, and then add those numbers together to find out how many times a user has logged on to a domain. In other words, Ken Myer might have been authenticated 5 times by domain controller A and 3 times by domain controller B. You need to add those two numbers – 5 and 3 – to determine that Ken has logged on to the domain 8 times.
Incidentally, here’s a script that binds to the domain controller atl-dc-01 and echoes the LogonCount value for the user Ken Myer:
Set objUser = GetObject _ (“LDAP://atl-dc-01/cn=ken myer, ou=Finance, dc=fabrikam, dc=com”) Wscript.Echo objUser.LogonCount
Again, you’ll need to repeat this script for each of your domain controllers in order to get an accurate count of Ken Myer’s logons.
Of course, you specifically asked about counting the number of times a user has logged on to a computer. That’s a bit trickier; unfortunately, the WinNT provider – which is used to manage local user accounts and Windows NT 4.0 domain accounts – doesn’t support the LogonCount property. Because of that, the only way we know of to count user logons is to query the Security event log. If you have enabled auditing for user logons, each time a user successfully logs on to a computer an event (with an event code of 528) is recorded in the Security event log. To find out how many times Ken Myer has logged on to a computer we simply need to query the Security event log for all events where the EventCode is equal to 528 and the User is fabrikam\\kmyer (and yes, both \’s are required in the query):
strComputer = “.” Set objWMIService = GetObject(“winmgmts:{(Security)}\\” & _ strComputer & “\root\cimv2”)Set colEvents = objWMIService.ExecQuery _ (“SELECT * FROM Win32_NTLogEvent WHERE LogFile = ‘Security’ AND ” & _ “EventCode = 528 AND User = ‘fabrikam\\kmyer'”)
Wscript.Echo colEvents.Count
This will work, although there are some caveats. First of all, if you haven’t enabled auditing these records won’t get written to the Security event log. Second, any time you clear the event log all events are, well, cleared. As a result, all logon counts for all users will effectively get set back to 0. If you want to keep a running tally of user logons, you’ll either have to never clear your event logs (not recommended) or you’ll have to keep track each time you do clear the event logs. It’s not an impossible task, but it’s also not as easy as it probably could be. But it’s about the only option open to us.
0 comments