Last Logon Date

Usage and Config
1

(imported topic written by SystemAdmin)

We are trying to figure out how often machines are being used. Just being on doesn’t count.

Is there anyway to get BF to return a “last logon date” property?

Thanks.

2

(imported comment written by jessewk)

Alan,

There are a number of properties that I think will answer your question available on this page:

http://support.bigfix.com/bes/misc/retrievedproperties.html

Check out the ‘User’ section. In particular, I think the ‘Last logon of local users’ property will give you the information you’re looking for.

Regards,

Jesse

3

(imported comment written by BenKus)

Hey Alan,

Jesse’s method will work, but it will only detect local users (not domain users)… Here is another way…

You can use the BES Client to notice when the logged in user changes and then record the person and the time. You can even store the history of the logged in users.

To do this, create a Fixlet with the following;

Relevance:   (not exists value 
"LoggedIn" of keys 
"HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats" of registry) OR (value 
"LoggedIn" of keys 
"HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats" of registry != (exist current user) as string)     Action:   regset 
"[HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats]" 
"LoggedIn"=
"{exists current user}"   regset 
"[HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats]" 
"LastLoggedInUser"=
"{(if (exists current user) then (name of current user) else "none
")}"   regset 
"[HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats]" 
"LastTime"=
"{now}"   regset 
"[HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats]" 
"LogonHistory"=
"{ ( "::
" & (if (exists current user) then (  name of current user) else "none
") & ";;
" & (now as string)) & (if (not exists value "LogonHistory
" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats
" of registry) then "
" else if (number of substrings "::
" of (value "LogonHistory
" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats
" of registry as string) > 5) then (preceding text of last "::
" of (value "LogonHistory
" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats
" of registry as string)) else (value "LogonHistory
" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats
" of registry as string)) }"

After you make the Fixlet, you must take the action from the Fixlet and apply it to the computers you want to track. Make sure to make it a “Policy” action with the Action Retry and Action Reapply set to “no limit”. (If you forget to do this, it will stop tracking).

This will keep several statistics about the last logged in users including the last 5 users to log in/out and the times. You can then base a number of properties off of these statistics like:

  • Last time a user logged on/off
  • Last user to login
  • Last 2 users to login
  • and so on…

I did NOT test this so someone will have to try it out for me and see if it works… If you want me to write some properties based on these statistics, let me know.

Ben

4

(imported comment written by brolly3391)

How about this as an imperfect but effective alternative as a simple retrieved property that relies on the modified date of the NTUSER.DAT (current user registry hive). The advantage with this soultion is that it does not require a fixlet to run repeatedly and can be implemented as a pair of simple retrieved properties.

The advantage to Ben’s solution is that it tracks more information and might provide more accurate logon times. It might also be faster for deriving the Logon user names. Ben, how do you control the fixlet to run just once each time the user logs in and not just run constantly until the user logs off?

Last activity

q: if exists current user then (now) else (maximum of (modification times of files “ntuser.dat” of folders of folder (substring before “\All Users\Desktop” of (value “common desktop” of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders” of registry as string))))

A: Wed, 30 Aug 2006 13:59:32 -0400

T: 0.280 ms

I: singular time

Last activity user

q: if exists current user then (name of current user) else (name of folder whose (modification time of file “ntuser.dat” of it = maximum of (modification times of files “ntuser.dat” of folders of folder (substring before “\All Users\Desktop” of (value “common desktop” of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders” of registry as string)) ) ) of folder (substring before “\All Users\Desktop” of (value “common desktop” of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders” of registry as string)))

A: Brolly33

T: 1.627 ms

I: singular string

Also, does anyone remember the registry key or environment variable for the location of the profiles directory? I had to parse an entry from the explorer\shell folders key and that is not elegant at all.

5

(imported comment written by JonFan)

Ben’s technique will only run once following a logon or logoff event. The first time it runs when a user logs on, it will set the LoggedIn value to true. From the second part of the relevance statement, the action will only run again when that becomes false (i.e. a user is no longer logged in).

I think the environment variable is “ALLUSERSPROFILE” for the all users profiles. Try “variables of environment” in QnA to get all valid environmental variables on your computer.

6

(imported comment written by brolly3391)

Johnathan,

I looked back over Ben’s relevance/action with a more critical eye and I see that toggleing action now. Thanks for pointing that out to me, it’s pretty slick.

ALLUSERSPROFILE=C:\Documents and Settings\All Users

I needed the root of the profiles folder which would be C:\Documents and Settings on a default XP build. I checked all the environment variables but there were no hits. I did finally find the registry key after some Googling:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

ProfilesDirectory

which defaults to: %SystemDrive%\Documents and Settings on a Windows XP machine.

Cheers,

Brolly

7

(imported comment written by JonFan)

One other way I’ve gotten at that is:

preceding text of last “” of (value of variable “ALLUSERSPROFILE” of environment as string)

Not the greatest technique, but it gets the job done as well.

8

(imported comment written by ErnieF91)

Has anyone implemented this? I tried yesterday and after testing, it doesn’t seem to work correctly. It seems that if I restart the computer and login once it is up, it doesn’t register the login. I’m assuming this is due to the fixlet not toggleing the logoff action, because of the reboot.

I logged off and let the computer set 15 mintues and the “LoggedIn” Key changed to False. It registered the time of the logoff in the LogonHistory with the user “none”. I logged back in and 15 minutes later it successfully registed my login.

The problem is that most users will shutdown in the evening and restart the next morning and it looks like that will not register correctly.

Ernie

9

(imported comment written by BenKus)

Hey Ernie,

I think you are right and I didn’t remember to take this case into consideration… But I think there is a straight-forward change we can the relevance to take into account the

Relevance:

(not exists value “LoggedIn” of keys “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats” of registry) OR (value “LoggedIn” of keys “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats” of registry != (exist current user) as string)

OR (boot time of operating system > (value “LastTime” of keys “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats” of registry as string as time))

I think by adding that last little bit in, it will trigger the action to re-run after restart.

Once again this is untested and hopefully you can help me confirm that it works and I didn’t make a mistake.

Thanks,

Ben

10

(imported comment written by SystemAdmin)

Ben -

Looks like its working for me - though I will let it run for a while just to make sure.

Thanks!

Alan

11

(imported comment written by BenKus)

Anyone interested in this thread might be interested in this post regarding tracking “primary users” using a similar method:

http://forum.bigfix.com/viewtopic.php?pid=5466#p5466

Ben

12

(imported comment written by Ashwin.D91)

Sorry to bring this thread back up again;

But for clients connecting over the internet, depending on the client report back interval set, lets say i log off and log in again immediately as a different user, it will not be recorded right?

This is for Ben’s method…

13

(imported comment written by BenKus)

Hey Ashwin.D,

The agent should work the same whether it is connected or not connected to the network in this case. But in any case, with this method there would be a chance that the user was not noticed when the user logged in and then logged off quickly.

Ben

14

(imported comment written by mallika91)

I am collecting disk drive Info from the Bigfix ,I am using the below query which posted on forum. but the result it showing multiple results. Could you please advise and mdify the below query to show the result on the console , now the result its showing as – multple results.

if (exists wmi) then (string value of property “caption” of it, (string value of property “size” of it as integer / 1024/1024/1024) as string & " GB") of (select objects “Caption, size from Win32_DiskDrive” of wmi) else nothings

Thanks and Regards

Mallikarjun

15

(imported comment written by jessewk)

concatenation " ; " of (if (exists wmi) then (string value of property “caption” of it, (string value of property “size” of it as integer / 1024/1024/1024) as string & " GB") of (select objects “Caption, size from Win32_DiskDrive” of wmi) else nothings )

16

(imported comment written by mdahitule91)

Hi All,

Is anyone created Analysis based on Relevance and Action Provided by Ben.

Please share the same. As i am looking for the analysis for 5 Last Logon Users with Date and Time of logon and logoff.

Thanks in Advance,

Mangesh Dahitule.

17

(imported comment written by BenKus)

Hey guys,

Nowadays in 8.1, we have an inspector to query the last login time:

q: (name of it, last logons of it) of local users
A: bkus, ( Sun, 27 Mar 2011 19:43:48 -0700 )

Ben

18

(imported comment written by mdahitule91)

Hi Ben,

This inspector also works with version 7 but results only local users and not the domain users.

I am looking the result as Below

Use Name : User1

Logon Time :

Logoff Time :

Use Name : User2

Logon Time :

Logoff Time :

Use Name : User5

Logon Time :

Logoff Time :

Regards,

Mangesh Dahitule