NOTE: See Where is <Username>?
If you implement tip 3437, with or without visibility, you can locate a user, with a roaming or local profile, by opening a CMD prompt and typing:
Whereis <Username>
Whereis.bat makes use of the freeware Reg utility, and contains:
@echo off setlocal REM Change \\PDCname to your \\PDC Computer name set PDCname=\\PDCname if \{%1\}==\{\} goto syntax set user=%1 set user=%user:"=% if exist "%PDCname%\zipnew\%user%.lli" goto locate @echo User %User% has never logged on. endlocal goto end :locate type "%PDCName%\zipnew\%user%.lli" REM Extract the computer name that the user last logged on from. for /f "Tokens=9" %%i in ('type "%PDCName%\zipnew\%user%.lli"') do @set lastlogon=%%i set lastlogon=%lastlogon:.=% set locked=NOT LOCKED set folder=%user% REM You must not disable the default Administrative shares on the clients. REM Is the computer powered up and attached to the network? if not exist \\%lastlogon%\c$\*.* goto noton REM Set the registry path to locate the remote computers local profile folder. set rp="\\%lastlogon%\machine\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\common desktop" REM if reg is not in your path, or the reskit reg is, ('<Drive:>\folder\reg -lv %rp%') for /f "tokens=1*" %%i in ('reg -lv %rp%') do set RegValue=%%j set profiles=%RegValue:\All Users\Desktop=% set profiles=%Profiles::=$% REM Locate the users profile folder(s). if not exist "\\%lastlogon%\%profiles%\%user%*" goto noton for /f "Tokens=*" %%i in ('dir /b /ad "\\%lastlogon%\%profiles%\%user%*"') do call :locate "%%i" if exist %TEMP%\WhereIs.log del /q %TEMP%\WhereIs.log endlocal goto end :locate set folder=%1 set folder=%folder:"=% if exist %TEMP%\WhereIs.log del /q %TEMP%\WhereIs.log REM The following command, response and output, is piped to %TEMP%\WhereIs.log. REM If the user is logged on, the command pipes: "The process cannot access the file because it is being used by another process". REM If local profiles are deleted, the command pipes: "The system cannot find the file specified.....". REM if the user is logged off and local profiles are retained, the log is piped. for /f "Tokens=*" %%j in ('type "\\%lastlogon%\%profiles%\%folder%\ntuser.dat.LOG"^>%TEMP%\WhereIs.log 2^>^&1') do @echo nothing>null for /f "Tokens=*" %%k in ('type "%TEMP%\WhereIs.log"') do @set locked=%%k if not "%locked:~0,11%" EQU "The process" goto noton @echo %user% is still logged on the %folder% profile at %lastlogon%. goto end :noton @echo %user% has logged off the %folder% profile. goto end :syntax @echo Syntax: Whereis Username endlocal :endNOTE: WhereIs is stealthy and fast, the user does not know they are being located.
NOTE: WhereIs displays the following messages:
Syntax: Whereis <Username> (When you didn't specify a user.) User <User Name> has never logged on. Last logon was MM/DD/YYYY HH:MM from computer name <Computer Name>. <User Name> is still logged on the <Profile Folder> profile at <Computer Name>. <User Name> has logged off the <Profile Folder> profile.Typical output examples:
C:\>WhereIs jennifer Last logon was 03/01/2001 17:30 from computer name JSI007. jennifer is currently logged on the Jennifer profile at JSI007. C:\>WhereIs ultrabac Last logon was 03/02/2001 08:30 from computer name JSI001. ultrabac has logged off the UltraBac profile.NOTE: There should be only one <Profile Folder> per user on <Computer Name>, but I thought it was prudent to alert you to the previous profile corruption, by listing them all.
0 comments
Hide comments