One of the really cool things that Active Directory keeps track of is the operating system version and service pack for every computer that is in the directory. It updates this information each time a computer actually authenticates to the directory. Looking at that and thinking Active Directory keeps track of that too, maybe Active Directory is also keeping track of what users are logging on to each computer, and that would be great. It’s probably one of the most commonly asked questions that I get at classes and conferences.
Unfortunately Active Directory does not, and without Active Directory keeping track of that information there is no other central place where that information could be logged. If your goal is to find out which user last logged on to a particular work station or to a list of all the users that are logged to a particular workstation, you are going have to create that functionality yourself and come up with a central place to put it.
One way would be to be simply to write a text file to a shared folder someplace. What I have done, here in my documents folder, is created a script called logon.vbs. This code is also in the article that accompanies this video and its simply going to pull out the current user’s name, the computer name, write a text file to a shared location that has the computer name and the username as the file name. That way you can use Explorer’s file search functionality to locate a particular computer name or username. I’ll write the current time stamp to that file so I could potentially write another script to go through and find old ones and clean them up.
To actually to make this happen I am going to have to go into the Group Policy Management Console. I’m just going to edit my Default Domain Policy and I am going to have to add a logon script. Browse to that particular script, put it in My Documents folder and don’t need to feed it any parameters. Now in Windows Server 2008 and earlier, this is probably going to be a VBScript, which is why I wrote it the way I did. In an environment that has PowerShell version 2 deployed to all your client computers you could use PowerShell as a logon script as well, and Windows Server 2008 R2 comes with a Group Policy template that would let you do that.
Once I’ve applied this, I’m also going to ideally want to write a second script and again the code is in the article that accompanies this video. This script would be a logoff script, when the user logs off, it goes and deletes that file. The reason I might want to have a script go through and clean those things up automatically is simple because some users are going to shut those machines off without logging off, so that logoff script won’t run all the time. Of course if you have tools that allow you manage your logon scripts a little more effectively and do more stuff you are going have more capabilities for doing things like this. You need to build it manually. Those are the steps you going to have to go through.