UserSes

<body stylesrc="UserSes.htm"> <p> </p>  <table border="0" cellpadding="0" cellspacing="0" width="100%"> <tr> <td></td> <td align="right"><div align="right"><table border="2" cellpadding="3" cellspacing="0" bordercolor="#008080" bordercolordark="#008080" bordercolorlight="#008080"> <tr> <td align="right"><font color="#008080" size="1" face="Arial">contents:</font><font size="1" face="Arial"><br> <a href="#Arguments">Arguments</a><br> <a href="#Examples">Examples</a><br> <a href="#Download and installation">Download and installation</a><br> <a href="#Version history">Version history</a></font></td> </tr> </table> </div></td> </tr> <tr> <td valign="bottom"><a name="UserSes"><font color="#008080" size="5" face="Arial"><strong>UserSes</strong></font></a></td> <td align="right" valign="bottom"></td> </tr> </table> <p><font face="Arial">The UserSes command will list logon/logoff sessions for one or more users. UserSes reads the Security Event Logs on all domain controllers to get the session information. For this to work you must have enabled audit of Logon and Logoff at the Domain Controller (you do that in the User Manager for Domains at the Policies, Audit menu). Also, when running the UserSes command you must have the SE_SECURITY_NAME User Right (you will normally have this User Right if you run as Administrator).</p> <p>For each session UserSes will print: date of logon, time of logon, date of logoff, time of logoff, user id and workstation name. Note that UserSes will have to read through the Security Event Logs on all the Domain Controllers. If these logs are large UserSes can take quite a while to execute.</p> <p><font face="Arial">UserSes is a <a href="http://www.perl.org/">Perl</a> program which internally uses the <a href="http://www.ibt.ku.dk/jesper/netviewx/">NetViewX</a> and <a href="http://www.ibt.ku.dk/jesper/ELDump/">elDump</a> commands. It is written by <a href="http://www.ibt.ku.dk/jesper" target="_top">Jesper Lauritsen</a> and is in the Public Domain.</font></p> <table border="0" cellpadding="0" cellspacing="0" width="100%"> <tr> <td><font color="#008080" size="5" face="Arial"><strong><br> <a name="Arguments">Arguments</a></strong></font></td> <td align="right" valign="bottom"><font size="2" face="Arial">(<a href="#top">top</a>)</font></td> </tr> </table> <p><font face="Arial"> <strong>UserSes</strong> takes the following arguments:</font></p> <table border="0"> <tr> <td width="20%" valign="top"><em><strong>userid</strong></em></td> <td>Simple userid or userid on the form domain\user. All sessions by this users will be listed. You can specify one or more userids.</td> </tr> <tr> <td width="20%" valign="top"><strong><font face="Arial">-D<em> domain</em></font></strong></td> <td>Domain to list sessions for. Default is the domain of the userid(s). You only need to use this option if you want to list sessions in this domain for a user from another trusted domain.</td> </tr> <tr> <td width="20%" valign="top"><strong><font face="Arial">-S [<em>dir</em>]</font></strong></td> <td><font face="Arial">Also look in event logs saved with <a href="http://www.ibt.ku.dk/jesper/ELSavClr/">elSavClr</a> (see the documentation for <a href="http://www.ibt.ku.dk/jesper/ELDump/eldump.htm#Dump of ELSavClr saved logs">elDump -S</a>).</font></td> </tr> <tr> <td width="20%" valign="top"><strong><font face="Arial">-a <em>time</em></font></strong></td> <td>Only list<font face="Arial"> sessions after this time [YY]YYMMDD[HH[MM[SS]]].</font></td> </tr> <tr> <td width="20%" valign="top"><strong><font face="Arial">-A <em>days</em></font></strong></td> <td>Only list sessions in the last specified number of days.</td> </tr> <tr> <td width="20%" valign="top"><strong><font face="Arial">-b <em>time</em></font></strong></td> <td>Only list sessions before this time [YY]YYMMDD[HH[MM[SS]]].</td> </tr> <tr> <td width="20%" valign="top"><strong><font face="Arial">-B <em>days</em></font></strong></td> <td>Only list sessions before the specified number of days.</td> </tr> <tr> <td width="20%" valign="top"><strong><font face="Arial">-s <em>seconds</em></font></strong></td> <td>Do not list sessions shorter than the specified number of seconds. Clients not running Windows NT often makes some short spurious sessions when connecting. Default is not to list sessions shorter than 30 seconds.</td> </tr> <tr> <td width="20%" valign="top"><strong>-m</strong></td> <td>Do not merge overlapping sessions to same workstation. Often clients will have more than one concurrent session, and some times they will end a session and then start a new one right away. Default is to merge such sessions to one session in the list.</td> </tr> <tr> <td width="20%" valign="top"><strong>-i</strong></td> <td>Also list the session id. The session id will also identify the Domain Controller which validated the logon.</td> </tr> <tr> <td width="20%" valign="top"><strong>-v</strong></td> <td>Print some trace info to standard error.</td> </tr> </table> <p> </p> <table border="0" cellpadding="0" cellspacing="0" width="100%"> <tr> <td><font color="#008080" size="5" face="Arial"><strong><br> <a name="Examples">Examples</a></strong></font></td> <td align="right" valign="bottom"><font size="2" face="Arial">(<a href="#top">top</a>)</font></td> </tr> </table> <p><font face="Arial">List sessions by user bill:</font></p> <blockquote> <p></font><font face="Courier New">userses bill</font><font face="Arial"></p> </blockquote> <p>List <em>all</em> sessions by user bill:</p> <blockquote> <p></font><font face="Courier New">userses bill -s0 -m</font><font face="Arial"></p> </blockquote> <p><font face="Arial">List session from the last 24 hours in domain mydom1 by user jeff in domain mydom2:</font></p> <blockquote> <p></font><font face="Courier New">userses mydom2\jeff -D mydom1 -A 1</font><font face="Arial"></p> </blockquote> <table border="0" cellpadding="0" cellspacing="0" width="100%"> <tr> <td><font color="#008080" size="5" face="Arial"><strong><br> <a name="Download and installation">Download and installation</a></strong></font></td> <td align="right" valign="bottom"><font size="2" face="Arial">(<a href="#top">top</a>)</font></td> </tr> </table> <p><font face="Arial">Before download and installation you should:</font> <ul> <li><font face="Arial"><a href="http://www.activestate.com/">Download and install Perl</a>.</font></li> <li><font face="Arial">Download  <a href="http://www.ibt.ku.dk/jesper/NetViewX/">NetViewX</a> and <a href="http://www.ibt.ku.dk/jesper/ELDump/">elDump</a> and preferable put them in a directory which are in your path.</font></li> </ul> <p><a href="http://www.ibt.ku.dk/jesper/cgi/download.pl?File=UserSes/UserSes"><font face="Arial">Download current version of UserSes.</font></a></p> <p>The UserSes tool is distributed as a zip file containing UserSes.bat (the tool) and UserSes.htm (this page). If NetViewX and elDump is not in your path you must edit UserSes<font face="Arial">.bat to include the absolute path to these tools. Otherwise you do not have to install the tool - simply run it from a command line.</font></p> <p><font face="Arial">You may also want to look at the other <a href="http://www.ibt.ku.dk/jesper/NTtools/" target="_top">NT tools</a> by Jesper.</font></p> <table border="0" cellpadding="0" cellspacing="0" width="100%"> <tr> <td><font color="#008080" size="5" face="Arial"><strong><br> <a name="Version history">Version history</a></strong></font></td> <td align="right" valign="bottom"><font size="2" face="Arial">(<a href="#top">top</a>)</font></td> </tr> </table> <table border="0"> <tr> <td valign="top"><strong><font face="Arial">version</font></strong></td> <td></td> </tr> <tr> <td valign="top"><font face="Arial">0.1</font></td> <td><font face="Arial">Initial release. Consider this a beta release.</font></td> </tr> </table> <hr> <p align="right"><font size="2" face="Arial"><em>last changed 20. juli 1999</em></font></p> </font>  </body>