I need a quick Analyses that would return the name and date of who built a computer? This would save me tons on leg work. Any help would be appreciated.
thanks.
How do you tell who built a computer? Are you putting that in a registry value or a file or ??
I was thinking the Analyses could look at c:\users and give me name of the oldest profile, that would be an indicator of who built the machine, I’m not so sure how to put this into an Analyses though. thanks
When you provision a machine, by default the Administrator account is being used for the initial configuration / or using a Sysprep Answer File.
On your Organization, after provisioning the computer , technician account is being used for configuration of the computer?
This isn’t perfect and there are cases where this isn’t ideal in cases where you use Autopilot pre-provisioning where the first user would be defaultuser0 but what we have done in the past is create a task that runs as policy that creates a registry key or flat file that creates a log that can be quieried with relevance later. The issue with the first login information is that everywhere that holds that information only holds that information for a short time so you need to catch it soon after it happens.
Create task that looks something like this.
Relevance 1
"Win7 Win10 Win11" contains Name of Operating System
Relevance 2
(Exists logged on user) And (not exist key "HKLM\Software\Policies\UserTracking" of native registry or not exist key "HKLM\software\Policies\UserTracking\Tracking\" of native registry or not exist ((key (name of current user) of it) of (key "HKLM\Software\Policies\UserTracking\Tracking" of native registry)) whose (exist value "FirstLogon" of it))
Then set an action like this
Action1 (default)
Script Type BigFix Action Script
// Enter your action script here
dos reg add "HKLM\Software\Policies\UserTracking\Tracking\{name of current user}" /v "FirstLogon" /t REG_SZ /d "{minimum of times written of (records of event log "Microsoft-Windows-Winlogon/Operational") whose (user sid of it as string as uppercase contains (name of current user) as uppercase)}" /f
Then setup an Analysis that looks something like this:
if (exist "HKLM\Software\Policies\UserTracking\Tracking" of native registry) then if(exist (keys of (key "HKLM\Software\Policies\UserTracking\Tracking" of native registry)) whose (exist value "FirstLogon" of it) ) then (name of it & ": " & value "FirstLogon" of it as string) of (keys of key "HKLM\Software\Policies\UserTracking\Tracking" of native registry) else "No Values" else "No Tracking"
2 Likes
You could also add relevance that the logged on user isn’t your local administrator account name if you don’t want it to run when that account is logged in though
1 Like
We do something similar. We have a “finalization or QA” process for all domain joined devices. The person imaging it has to login as their domain account and run an offer. The otter finalizes some configuration items and then tags the registry with the person that provisioned it.
2 Likes
If the build account is also the domain join account you may be able to parse the %WINDIR%\debug\netsetup.log for the name, however the account that may be recorded will depend on your OS deployment processes.
unique values of following texts of lasts ": " of ((((lines of files (pathname of windows folder & "\debug\netsetup.log")) as lowercase) whose (it contains "account:" AND it contains "\")) as string)
For OS install date, we use this to pull the initial build date, which also caters for cases when the OS upgrade sets a new install date of the newest build.
(((month of it as two digits) & "/" & (day_of_month of it as two digits) & "/" & year of it as string) of date ("GMT" as time zone) of it & " " & ((two digit hour of it) & ":" & (two digit minute of it)) of time ("GMT" as time zone) of it) of (it * second + "01 Jan 1970 00:00:00" as local time) of (minimum of ((values "InstallDate" of keys whose (name of it starts with "Source OS") of key "HKEY_LOCAL_MACHINE\SYSTEM\Setup" of native registry as integer) ; (value "InstallDate" of key "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" of native registry as integer)))
2 Likes