Recording "Primary User" of a computer

(imported topic written by BenKus)

We had a request from a customer where they wanted to know the “Primary User” of a computer to help record who uses a computer the most. We implemented this for them with a relatively straight-forward action/property.

The algorithm we chose was relatively simple. Look at the last 5 users to login and record who has logged in the most.

Attached is a BES import file that captures and returns the primary user of a computer. The file contains three things:

  • Action that will tell agents to record the last 5 user who logged on in the registry (action runs every time a user logs in).
  • Property that returns the user who has logged in the most (of the last 5 times).
  • Task that can be used for reference.

Hopefully this is helpful for anyone with the same issue…

Let me know if it seems to work for you or if you have issues… I recommend you test before using extensively…

Ben

1 Like

(imported comment written by nyserda91)

Does BigFix have any capabilities built-in to track logins throughout the network?

(imported comment written by BenKus)

There are no special capabilities outside of the native abilities of BigFix to collect info from the computers and display it to the console user.

Ben

(imported comment written by SystemAdmin)

Hey Ben -

Loooong time eh?

Anyways, I just implemented this and I’m getting back multiple entries for the Primary user… I’m guessing that if there is a ‘tie’ each account will be listed?

… and speaking of a Primary Users, is there a way to return the Display Name for that user from AD? We’d like to see the real name of the user rather than the user’s login id.

Thanks,

Alan

(imported comment written by BenKus)

Hey Alan,

Good to hear from you again… We can get the domain/username info, but it would require re-writing the Fixlet to handle the new “logged on user” inspectors, which will take a little bit… I will see what I can do…

And yes if there is a tie then it returns all of them.

Ben

(imported comment written by SystemAdmin)

Ben we are seeing a lot of systems show up as “none” because there are more “nones” then regular users. Is there an easy way to filter out “none” logins?

HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats

LogonHistory

::testuser;;Mon, 29 Jun 2009 08:11:36 -0400::none;;Fri, 26 Jun 2009 21:09:10 -0400::testuser;;Thu, 25 Jun 2009 09:26:06 -0400::none;;Wed, 24 Jun 2009 18:40:35 -0400::none;;Tue, 23 Jun 2009 14:48:01 -0400::none;;Mon, 22 Jun 2009 17:33:40 -0400

(imported comment written by BenKus)

Interesting…

You can try changing the property to:

if (exists ( key “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats” whose (exists value “LogonHistory” of it) of registry)) then (concatenation “;” of unique values whose (multiplicity of it = (maximum of multiplicities of unique values of preceding texts whose (it != “none”) of firsts “;;” of substrings separated by “::” of (value “LogonHistory” of key “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats” of registry as string)))of preceding texts whose (it != “none”) of firsts “;;” of substrings separated by “::” of (value “LogonHistory” of key “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats” of registry as string)) else (“no user stats”)

Ben

(imported comment written by SystemAdmin)

Ben,

That works for removing the none’s from the retrieved properties… is there a way to remove it from the action as well so that it doesn’t create the “none” entries in the registry in the first place? I have seen some systems where nobody is logged in for a week so no user will be associated…

(imported comment written by BenKus)

It has been a long time since I originally wrote this, but I believe we have to record that the user logged out with a “none” in the registry so that we can note if the user logged in again without restarting the computer… Otherwise the mechanism I implemented would not realize that the user logged off/on repeatedly…

Ben

(imported comment written by SystemAdmin)

gotcha, below is what I ended up doing. I really like the primary user that culled the security log for primary user, however it was expensive (50-65 seconds to complete) and receive errors if the results end up being a SID, so I attempt to locate primary user via the above relevance, if result returns nothing (which it does about pretty frequently) then it runs the expensive query… also only running once every 7 days

Below is the relevance (probably could be optimized):

if ((if (exists ( key “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats” whose (exists value “LogonHistory” of it) of registry)) then (concatenation “;” of unique values whose (multiplicity of it = (maximum of multiplicities of unique values of preceding texts whose (it != “none”) of firsts “;;” of substrings separated by “::” of (value “LogonHistory” of key “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats” of registry as string)))of preceding texts whose (it != “none”) of firsts “;;” of substrings separated by “::” of (value “LogonHistory” of key “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats” of registry as string)) else (""))!=("")) then (if (exists ( key “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats” whose (exists value “LogonHistory” of it) of registry)) then (concatenation “;” of unique values whose (multiplicity of it = (maximum of multiplicities of unique values of preceding texts whose (it != “none”) of firsts “;;” of substrings separated by “::” of ((value “LogonHistory” of key “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats” of registry as string) as lowercase)))of preceding texts whose (it != “none”) of firsts “;;” of substrings separated by “::” of (value “LogonHistory” of key “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats” of registry as string as lowercase)) else (“N/A”)) else (following text of first “” of (following text of first “,” of ((item 1 of (item 0 of it, elements of item 1 of it) whose (maximum of (it as integer) of preceding texts of firsts “,” of item 1 of it = item 0 of it) of ((maximum of (it as integer) of preceding texts of firsts “,” of elements of it), it)) of (set of (((multiplicity of it as string & “,” & it) of unique values of (user sid of it as string) of records whose ((now - time generated of it < 90*day) AND (event id of it as string = “528”) AND ((";2;7;10;11;") contains “;” & preceding text of first “%0d” of following text of first “Logon Type:%09” of description of it as string & “;”)) of security event log)as lowercase)))))

(imported comment written by SystemAdmin)

Ben,

sorry to bother you again;) you know it may just be adding the exists current user to the original relevance so it only runs if someone is logged in…

orig:

(not exists value “LoggedIn” of keys “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats” of registry) OR (value “LoggedIn” of keys “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats” of registry != (exist current user) as string) OR (boot time of operating system > (value “LastTime” of keys “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats” of registry as string as time))

suggest:

(exists current user) AND (((not exists value “LoggedIn” of keys “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats” of registry) OR (value “LoggedIn” of keys “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats” of registry != (exist current user) as string) OR (boot time of operating system > (value “LastTime” of keys “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats” of registry as string as time)))

(imported comment written by BenKus)

Yes… but the problem here is that if a user logs in, then logs out for a while and then logs back in, then the second login won’t be recorded (unless they also restarted the computer).

Ben

(imported comment written by emock91)

Has anyone been able to resolve this ? This would be a great feature if it worked … can Bigfix get this working correctly ? Thanks

(imported comment written by BenKus)

Hey emock,

Which piece are you referring to? Have you tried the Fixlet from post #1 and the property from post #7?

Ben

(imported comment written by emock91)

Hi Ben , exactly what I tried . There is a large number of computers that show no Primary user … over 400 out of 1600. We want to start naming all of our computers in the County by their Dell Asset tag. We have been naming computers by their User Name … become a management nightmare. We want to be able to identify the machine when people call the Helpdesk …

(imported comment written by BenKus)

Did the task run on these computers?

Ben

(imported comment written by emock91)

Good question … I checked a bunch and the task “Track Primary User” ran

(imported comment written by BenKus)

You might need to pick a computer and try the Fixlet debugger to troubleshoot further because I looked it over and can’t obviously spot the issue with the info sent so far…

Ben

(imported comment written by emock91)

Ben, it looks like the machines that are showing " None " or blank have a problem with the HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats

I ran a debugger on a machine that dosent report the Primary user and it shows an April 2009 loging and user name is none. The person logs in daily …

(imported comment written by emock91)

Hey Ben it looks like Bigfix isn’t updating HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats

correctly for some reason. This person logs in daily …

Windows Registry Editor Version 5.00

HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats

“LoggedIn”=“False”

“LastLoggedInUser”=“none”

“LastTime”=“Thu, 16 Apr 2009 08:57:58 -0400”

“LogonHistory”="::none;;Thu, 16 Apr 2009 08:57:59 -0400"