\[Editor's Note: Do you have a security-related question about Windows NT? Send it to [email protected], and you might see the answer in this column!\]
I can't find a tool that can report from the command prompt on the user accounts that are logged on interactively and remotely to a machine. The Net Session tool provides some of the functions I'm looking for, but it can report only on users who are logged on locally and doesn't distinguish between users who are logged on interactively and remotely. Do you know of a way to get the information I'm looking for?
Sysinternals' PsLoggedOn tool provides the functionality you want. You can download psloggedon.exe for free from the Sysinternals Web site at http://www.sysinternals.com/ntw2k/freeware/psloggedon.shtml. In addition to reporting the user accounts that are logged on to a particular machine, PsLoggedOn shows their logon times. Figure 1, page 14, shows the output of running the tool against a machine that has the IP address 10.0.0.56.
PsLoggedOn queries the HKEY_USERS registry hive to report on users who are logged on locally. Thus, to run the tool against a remote machine, you need registry access permissions to the remote machine. By default, Windows NT domain administrators have sufficient permissions to use PsLoggedOn. If you've locked down your NT machines, you might need to change the registry access control settings to give your NT administrators sufficient permissions to use this tool.
PsLoggedOn can also tell you to which machine a particular user is logged on. To use this feature, type
psloggedon <username>
at the command prompt, where username is the username of the user you want to know about. This feature is useful when you want to be sure that a particular user isn't logged on to any machine when you're about to change that user's home directory or profile settings.