Finding Users on the Network
Use Winscl to find out which computers your users are logged onto.
- By Bill Boswell
- July 08, 2003
Bill: Could you tell me which command to use
(if any) to find out to which
workstation a user is logged onto [using their logon ID].
—Gabe Bauer, New York
Gabe,
This turns out to be a tricky proposition. A user can be logged in from
many workstations and each workstation may use a different domain controller
for authentication. You end up with two bits of information you need:
the IP addresses for any of the user’s logon workstations and the
DNS or NetBIOS names that correspond to those addresses.
The fastest way to find the IP addresses is to look them up in WINS,
which you can accomplish in a couple of ways. You can open the WINS console
and select a server then filter the result set to the first letter of
the user you’re trying to find. Once you locate the user, you can
expand the filter to show the workstation names corresponding to the same
IP address.
It’s simpler, though, to use Winscl, a command-line tool from the
Windows 2000 Resource Kit. Winscl tool doesn’t provide a single
command-line syntax. You have to navigate through a few prompts. Here’s
the syntax to search for a user called User1 on a WINS server called W2K-WINS1:
C:\>winscl n nome
UNC name of machine -- w2k-wins1
qn user1 1 03 0
Get
Help from Bill |
Got a Windows or Exchange question
or need troubleshooting help? Or maybe you want a better
explanation than provided in the manuals? Describe
your dilemma in an e-mail to Bill at mailto:[email protected];
the best questions get answered in this column.
When you send your questions, please include your
full first and last name, location, certifications (if
any) with your message. (If you prefer to remain anonymous,
specify this in your message but submit the requested
information for verification purposes.) |
|
|
The n in the winscl line stands for Named Pipe. The nome stands for No
Menu. The system prompts for a server name; here, enter the flat name.
The qn in the next line stands for Query Name.
Here's what the numbers after the user name indicate:
1 – add the 16th byte for a service ID
03 – add the Messenger service
0 – no scope (a seldom-used NetBIOS feature)
The Winscl information dump shows this, including the IP address:
Name=(PHOENIXUSER10 )
NodeType=(3)
State=(ACTIVE)
TimeStamp=(Wed Jul 09 09:39:48)
OwnerId=(0)
Type Of Rec=(UNIQUE)
Version No (0 11ef)
Record is (DYNAMIC)
Address is (192.168.0.160)
You can use the SDB command in Winscl to show the other records that
have the same IP address using this syntax:
Command -- sdb
Search by Address or Name (1 for Address, 0 for Name) -- 1
Address (dotted decimal) -- 192.168.0.160
Put records in wins.rec file (1 for yes, 0 for no) -- 0
Status returned is (SUCCESS - 0)
Searching records owned by 192.168.0.1
-----------------------
Name is (XP-PRO1 ).
16th char is (0)
NameLen is (17)
Type is (UNIQUE)
State is (ACTIVE)
Version No is (0 11c5)
Static flag is (0)
Timestamp is (Wed Jul 09 06:40:39)
IP Address is (192.168.0.160)
Skip past any user names or workstation names with Released status and
find the workstation name with an Active status.
This technique works in real time but you need to keep the replication
intervals in mind. It’s possible that a user might be logged on
a domain controllers at two sites that point to two different WINS servers
that haven’t fully replicated.
About the Author
Contributing Editor Bill Boswell, MCSE, is the principal of Bill Boswell Consulting, Inc. He's the author of Inside Windows Server 2003 and Learning Exchange Server 2003 both from Addison Wesley. Bill is also Redmond magazine's "Windows Insider" columnist and a speaker at MCP Magazine's TechMentor Conferences.