We had a request from a customer where they wanted to know the “Primary User” of a computer to help record who uses a computer the most. We implemented this for them with a relatively straight-forward action/property.
The algorithm we chose was relatively simple. Look at the last 5 users to login and record who has logged in the most.
Attached is a BES import file that captures and returns the primary user of a computer. The file contains three things:
Action that will tell agents to record the last 5 user who logged on in the registry (action runs every time a user logs in).
Property that returns the user who has logged in the most (of the last 5 times).
Task that can be used for reference.
Hopefully this is helpful for anyone with the same issue…
Let me know if it seems to work for you or if you have issues… I recommend you test before using extensively…
Anyways, I just implemented this and I’m getting back multiple entries for the Primary user… I’m guessing that if there is a ‘tie’ each account will be listed?
… and speaking of a Primary Users, is there a way to return the Display Name for that user from AD? We’d like to see the real name of the user rather than the user’s login id.
Good to hear from you again… We can get the domain/username info, but it would require re-writing the Fixlet to handle the new “logged on user” inspectors, which will take a little bit… I will see what I can do…
And yes if there is a tie then it returns all of them.
Ben we are seeing a lot of systems show up as “none” because there are more “nones” then regular users. Is there an easy way to filter out “none” logins?
if (exists ( key “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats” whose (exists value “LogonHistory” of it) of registry)) then (concatenation “;” of unique values whose (multiplicity of it = (maximum of multiplicities of unique values of preceding texts whose (it != “none”) of firsts “;;” of substrings separated by “::” of (value “LogonHistory” of key “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats” of registry as string)))of preceding texts whose (it != “none”) of firsts “;;” of substrings separated by “::” of (value “LogonHistory” of key “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats” of registry as string)) else (“no user stats”)
That works for removing the none’s from the retrieved properties… is there a way to remove it from the action as well so that it doesn’t create the “none” entries in the registry in the first place? I have seen some systems where nobody is logged in for a week so no user will be associated…
It has been a long time since I originally wrote this, but I believe we have to record that the user logged out with a “none” in the registry so that we can note if the user logged in again without restarting the computer… Otherwise the mechanism I implemented would not realize that the user logged off/on repeatedly…
gotcha, below is what I ended up doing. I really like the primary user that culled the security log for primary user, however it was expensive (50-65 seconds to complete) and receive errors if the results end up being a SID, so I attempt to locate primary user via the above relevance, if result returns nothing (which it does about pretty frequently) then it runs the expensive query… also only running once every 7 days
Below is the relevance (probably could be optimized):
if ((if (exists ( key “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats” whose (exists value “LogonHistory” of it) of registry)) then (concatenation “;” of unique values whose (multiplicity of it = (maximum of multiplicities of unique values of preceding texts whose (it != “none”) of firsts “;;” of substrings separated by “::” of (value “LogonHistory” of key “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats” of registry as string)))of preceding texts whose (it != “none”) of firsts “;;” of substrings separated by “::” of (value “LogonHistory” of key “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats” of registry as string)) else (""))!=("")) then (if (exists ( key “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats” whose (exists value “LogonHistory” of it) of registry)) then (concatenation “;” of unique values whose (multiplicity of it = (maximum of multiplicities of unique values of preceding texts whose (it != “none”) of firsts “;;” of substrings separated by “::” of ((value “LogonHistory” of key “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats” of registry as string) as lowercase)))of preceding texts whose (it != “none”) of firsts “;;” of substrings separated by “::” of (value “LogonHistory” of key “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats” of registry as string as lowercase)) else (“N/A”)) else (following text of first “” of (following text of first “,” of ((item 1 of (item 0 of it, elements of item 1 of it) whose (maximum of (it as integer) of preceding texts of firsts “,” of item 1 of it = item 0 of it) of ((maximum of (it as integer) of preceding texts of firsts “,” of elements of it), it)) of (set of (((multiplicity of it as string & “,” & it) of unique values of (user sid of it as string) of records whose ((now - time generated of it < 90*day) AND (event id of it as string = “528”) AND ((";2;7;10;11;") contains “;” & preceding text of first “%0d” of following text of first “Logon Type:%09” of description of it as string & “;”)) of security event log)as lowercase)))))
sorry to bother you again;) you know it may just be adding the exists current user to the original relevance so it only runs if someone is logged in…
orig:
(not exists value “LoggedIn” of keys “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats” of registry) OR (value “LoggedIn” of keys “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats” of registry != (exist current user) as string) OR (boot time of operating system > (value “LastTime” of keys “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats” of registry as string as time))
suggest:
(exists current user) AND (((not exists value “LoggedIn” of keys “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats” of registry) OR (value “LoggedIn” of keys “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats” of registry != (exist current user) as string) OR (boot time of operating system > (value “LastTime” of keys “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats” of registry as string as time)))
Yes… but the problem here is that if a user logs in, then logs out for a while and then logs back in, then the second login won’t be recorded (unless they also restarted the computer).
Hi Ben , exactly what I tried . There is a large number of computers that show no Primary user … over 400 out of 1600. We want to start naming all of our computers in the County by their Dell Asset tag. We have been naming computers by their User Name … become a management nightmare. We want to be able to identify the machine when people call the Helpdesk …
You might need to pick a computer and try the Fixlet debugger to troubleshoot further because I looked it over and can’t obviously spot the issue with the info sent so far…
Ben, it looks like the machines that are showing " None " or blank have a problem with the HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats
I ran a debugger on a machine that dosent report the Primary user and it shows an April 2009 loging and user name is none. The person logs in daily …