I am dealing with an odd situation - some of my managed PCs are hospital type machines with a weird setup, where the PC is logged on under a generic autologin account for access to some things and a medical software runs on top of that with a second login (nurse badge), used for single-sign-on for many apps… So both run stacked on one another…generic apps and SSO apps.
My problem is trying to find out if one of those PCs is actually in use, with relevance… Does it sit at a login prompt… unfortunately even at a login prompt is is already logged on under the primary generic autologon as far as windows is concerned…
In the console the primary login is the one getting reported under “user name” regardless, not the SSO one, and even if it were (I’ve seen some) it probably coincides with the PC reporting at that exact time, it’s brief and not always picked up by the agent reporting… If I run QNA on those machines it is then only aware of 1 logged on user (the secondary one, SSO), not 2, or I could say “exists one logged on user, not 2” … I also tried specific “exists running applications xxxx” but it seems like they are all already running from the generic autologon… I need to find something possibly started by the SSO session only, but if anyone has any ideas of strange things I could query in that vein to identify onevs 2 users, please chime in Thx !
perhaps you can pull all logged in users and filter out the generic one (assuming you can identify the generic one and that it is consistent on your endpoints)
q: exists logged on users whose (name of it !="genericUserID")
A: True
T: 3.983 ms
I: singular boolean
q: names of logged on users
A: brolly33
T: 2.014 ms
I: plural string
To test this out, you might create an analysis with the simple relevance of names of logged on users
If this does not bear fruit, we might need to look at some less likely sources, like “is a registry hive loaded” or “Is there a WMI class that we could probe” or “can we look for users of processes”.
q: (names of it, users of it as string) of processes whose (name of it = "System" or name of it = "explorer.exe")
A: System, NT AUTHORITY\SYSTEM
A: explorer.exe, BigFixDomain\brolly33
Thank you very much ! Option one is pretty much where I’ve been and it’s not working well because relevance only detects the primary login (it only sees the secondary if you run the relevance from inside that session, which is not useful), but option 2 gives me a new avenue to explore. Thank you for that !!! Will let you know !
Yes, apparently…the above query returns just me, the badged in user. So again the PCs autologin with a specific account, called GPOxxxx (it’s just the name in use because it’s tied to a group policy that restricts access). That account gives the PC network rights and restricts access to certain things… Then the medical app triggers a second login (really the only one a user ever sees since login #1 is autologin) and that is used by clinicians to badge in, and single-sign-on to a lot of medical apps that are “bridged” to pass their credentials. But underneath the GPO account is still the boss and default for most apps…
Net result: In the BF console, the PCs show the user as GPOxx (the autologin) 99% of the time because of the polling interval - it switches to the secondary user if caught at the right time but it’s hard to trust that data because it’s old by the time you read it (someone could have logged in). If I break into the session (it’s very locked down) and install QNA, the user shows as the badged in user (me) - only…
I’d like a way to write reliable relevance for pushes, to know if there’s one user only (not in use) or 2 (in use)
In no circumstances do I see that both users are logged on when testing. That’s all I want, I’d like to know when a machine is at rest (one user only, the GPOxxx), vs when it’s in use (GPOxx + a user) so I can safely reboot it without kicking out a doctor or surgeon… No relevance showed me more than one user. Currently I’ve identified one process that is used by the badged in user (only) hopefully and I’m using this to guesstimate if a PC is in use, but I’m not 100% sure it works well. Wish I could see the session login somehow.
Thx !