Friday, April 02, 2010

How to find out which user is using which computer on a Windows domain.

Provided you have access to the domain controller this can be easy.  If you don't it gets a bit more complicated.

If you are on the domain controller then you may use your Security Event Logs.  I don't know about you, but the Security Logs are the last place I want to dig for information.  If the user in question is using shares on the server you will be presented with the username and IP's of computers accessing those shares.  On your server go to Computer Management (right-click My Computer, select Manage) and drill down System Tools -> Shared Folders -> Sessions.

If you don't need to know immediately, but you desire a log of login/logoff times.  Free Windows Network User Accounting is the tool for the job.  Though it is a bit of a challenge to set up, it's worth the effort.  This web interfaced system is useful in finding out who is currently logged in and which computer they are using.  The log is never cleared unless you clear it, so the history of who used which computer when can provide a lot of insight.

If you only have access to the local computer then checking the Security Event Log and checking the last modified times of the folders in c:\documents and settings\ can provide important clues.

If you are using NetBIOS (which is becoming less and less common) and you know the user's computername or IP address then you can use your trusty command prompt.

nbtstat -A [target ip address]
nbtstat -a [netbios name]