Home / server / Questions / 637119
Accepted
Tiago Duarte
Asked: 2014-10-16 01:46:02 +0800 CST

relationship between user and computer

  • 772

I have been using Get-ADUser and Get-ADComputer a few times to help troubleshoot problems in the system.

I have seen a few ways of identifying which user is logged on a specific machine through either registry, PsLoggedon.exe and other scripts, but since I'm not really a network administrator, I often get access denied. Which is fine because I'm not really interesting in digging that deep.

All I need is to somehow identify which users have an account (profile) on a machine (or which machines have a user account) so I can contact them and help them whenever an exception is coming from their ip address.

Is there absolutely no relationship between these two objects out-of-the-box?

powershell

2 Answers

  1. Best Answer

    There is absolutely no relationship between these objects "out of the box". Windows 8 / Windows Server 2012 introduced a concept of a "primary computer" Active Directory schema attribute but I highly doubt you're going to find that being used.

    Getting the logged-on user on a remote machine is one of those things that sounds like it should be really easy but, in practice, isn't.

    I think you're going to have to get some cooperation from your network administration staff to reliably get what you're looking for. Remotely querying logged-on user information through "normal means" (psloggedon, WMI queries, remote registry access) is going to require that you either have local Administrator rights on the remote machine, or that changes are made to defaults to grant your non-Administrator context that right.

    To get into talking about "hacks": I could imagine a scenario where your exception handler attempts to redirect the user's browser to a page that requires NTLM authentication and, if the clients are configured to automatically attempt authentication with the logged-on user's credential, you could "harvest" the credential that way. I could also see how that could be badly misinterpreted by the network administration staff as being an attack on users, so I'd strongly recommend against doing that.

    Presumably you're administering a webapp but not part of the network administration staff. If you could get network administration to buy into joining your web server to the domain you could enable authentication, at which point you'd know the username of the remote user and wouldn't have to muck about with any of this IP address stuff. If your clients are properly configured that authentication can happen transparently, too.

    • 6

  2. Existing profiles on a Windows computer are listed in the following registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

    It contains a subkey per user profile, and the name of each subkey identifies the corresponding user by a Security Identifier.

    You could "discover" user profiles by enumerating the subkeys and translate all user SIDs to their corresponding account objects:

    $profileList = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList"
# Retrieve subkeys that represent user profiles
$UserProfiles = Get-ChildItem $profileList |? {$_.Name -like "*S-1-5-21-*"}

foreach($Profile in $UserProfiles)
{
    $ntAccType = [System.Security.Principal.NTAccount] -as [Type]
    $userSid = ($Profile.Name-split"\\")[-1]
    try{
        # Attempt to translate the SID to an NTAccount object
        (New-Object System.Security.Principal.SecurityIdentifier $userSid).Translate($ntAccType)
    } catch {"Translating SID $userSid to Account failed"}
}
    • 5