Hello Everyone,
Hope you are doing well.
We were running the fixlet debugger on a machine connected to a domain, but the relevance statements we ran only returned results for ‘local users’. Can anyone help us to create a relevance to get he domain users and their last logon times ?
here is the details of the QnA results:
https://app.box.com/s/3lucuoozgz2d8c3ivzv22w221mlscezo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList will give you the names of local and domain profiles on the pc. You could also use C:\users to check names and the last modified time on the user profiles, though its not 100% accurate.I recommend turning on audit logon events through group policy.
Quite interesting.
q: (name of it, values "ProfileImagePath" of it) of keys of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" of native registry
A: S-1-5-18, %25systemroot%25\system32\config\systemprofile%00
A: S-1-5-19, %25systemroot%25\ServiceProfiles\LocalService%00
A: S-1-5-20, %25systemroot%25\ServiceProfiles\NetworkService%00
A: S-1-5-21-3517xxxxx-3655xxxxx-10886xxxxx-1002, C:\Users\BOB-Admin%00
A: S-1-5-21-4743xxxxx-1838xxxxx-1581xxxxx-11xxx, C:\Users\Bob.Bobbert%00
A: S-1-5-21-4743xxxxx-18383xxxxx-1581xxxxx-7xxx, C:\Users\rakesh%00The only references to finding last logon time (at the client) from Microsoft’s docs have been to look at LastUseTime from Win32_UserProfile in WMI. Here’s a property I’ve been using at some customers to track user logons within the last day, you should be able to extend this to any time frame you need.
(sid (string value of property "sid" of it) as string | string value of property "sid" of it, time value of property "LastUseTime" of it) whose (now - item 1 of it < 1 * day) of (select objects "sid,LastUseTime from Win32_UserProfile" of wmi) whose (set of ("S-1-5-20";"S-1-5-19";"S-1-5-18") does not contain string value of property "sid" of it)
edit: slightly more efficient WMI lookup
Not very pretty but I use this for last logged on users… The last bit relies on an task for Linux that does a
wait sh -c “lastlog -b 0 -t 7 > /var/log/lastlog.log”
Q: if (name of operating system as lowercase contains "win") then (if ((name of operating system as lowercase contains "xp") or (name of operating system as lowercase contains "win2003")) then (if not exist keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName" of (if x64 of operating system then (x64 registry;x32 registry) else registry) then values "DefaultUserName" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\" of (if x64 of operating system then (x64 registry;x32 registry) else registry) as string else "No User Logged") else (if NOT exist keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\LastLoggedOnUser" of (if x64 of operating system then (x64 registry;x32 registry) else registry) then values "LastLoggedOnUser" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\" of (if x64 of operating system then (x64 registry;x32 registry) else registry) as string else "No User Logged")) else if mac of operating system then string "lastUserName" of dictionary of file "/Library/Preferences/com.apple.loginwindow.plist" else if name of operating system starts with "Linux" then if exists file "/var/log/lastlog.log" then lines of file "/var/log/lastlog.log" else "Not Scanned" else "Unknown"FWIW, as of 2022-05 on Windows 10 (2009), it seems that all profiles’ “LastUseTime” is updated at or around boot time. The currently logged-on profile’s entry seems to also update every time I read the object out of WMI.
That’s…not nice.
Anyone else seeing the same? I can check my lab tomorrow.
Is it possible you have saved Scheduled Tasks to run “at boot time” for your user accounts? Just want to narrow down whether this is always the case, or something specific to your environment.
Agree - Windows 10 21H2 - relevance shows profile use timestamp is continuously updated while profile logged in.
q: (sid (string value of property "sid" of it) as string | string value of property "sid" of it, time value of property "LastUseTime" of it) whose (now - item 1 of it < 1 * day) of (select objects "sid,LastUseTime from Win32_UserProfile" of wmi) whose (set of ("S-1-5-20";"S-1-5-19";"S-1-5-18") does not contain string value of property "sid" of it)
A: BOB\brolly, ( Tue, 24 May 2022 09:55:10 -0400 )
Run a second time and the timestamp updates to “now”
I’ve had some luck looking at the timestamps on the ntuser.dat file in the profile directories.
Q: (name of it, accessed times of files "ntuser.dat" of it) of folders of folder "C:\Users"
This again is highly susceptible to other processes on the machine potentially manipulating the file but in general since that stores the HKCU hive it shouldn’t normally be used unless that user is logged on.
If your working with domain users, you could pull the lastLogonTimestamp attribute out of AD for the user. This (again, should) get updated upon non-cached credential authentication and should replicate across DCs in the environment. Another attribute, lastLogon exists but depending upon how your AD is deployed in the environment, it may not work for you as it does not replicate across DCs. To use that attribute you would have to pull it from the DC used for the authentication… or enumerate all of your DCs and take the maximum value discovered as the real last logon.
Get-ADUser -Identity <USERNAME_HERE> -Properties LastLogonTimeStamp | Select Name, @{Name='LastLogonTimeStamp';Expression={[DateTime]::FromFileTime($_.LastLogonTimeStamp)}}
or borrowing a little from @brolly33
@({concatenation "," of ("%22" & string value of property "sid" of it & "%22") of (select objects "sid from Win32_UserProfile" of wmi) whose (set of ("S-1-5-20";"S-1-5-19";"S-1-5-18") does not contain string value of property "sid" of it)}) | Get-ADUser -Properties LastLogonTimeStamp | Select Name, @{{Name='LastLogonTimeStamp';Expression={{[DateTime]::FromFileTime($_.LastLogonTimeStamp)}}