I was recently tasked with locating all servers on our network and query for users that were currently logged onto each server, either through a terminal session or logged on via console session. This got me thinking of what ways are available to make this happen. When it was all said and done, I came up with 4 ways to do this.
The first method is to use the Win32_ComputerSystem and grab the UserName property. The thing that you keep in mind with is that this will only return the user that is logged on using a console session, meaning that they are locally logged onto the machine, not logged on via remote desktop.
Image may be NSFW.
Clik here to view.
The second method involves another WMI query that will work for both console sessions and remote sessions. This query looks at the Win32_Process class and then performs a query to look for all of the explore.exe process, which is the user shell for each user that is logged into the server. Using this query, you can perform a wmi search and then create a custom object to hold the data. I used an advanced function I wrote to perform the query. This gets the job done and shows you who is logged into the machine, but it doesn’t really give you a lot of information to work with.
Image may be NSFW.
Clik here to view.
Function Get-WMIComputerSessions {
<#
.SYNOPSIS
Retrieves tall user sessions from local or remote server/s
.DESCRIPTION
Retrieves tall user sessions from local or remote server/s
.PARAMETER computer
Name of computer/s to run session query against.
.NOTES
Name: Get-WmiComputerSessions
Author: Boe Prox
DateCreated: 01Nov2010
.LINK
https://boeprox.wordpress.org
.EXAMPLE
Get-WmiComputerSessions -computer "server1"
Description
-----------
This command will query all current user sessions on 'server1'.
#>
[cmdletbinding(
DefaultParameterSetName = 'session',
ConfirmImpact = 'low'
)]
Param(
[Parameter(
Mandatory = $True,
Position = 0,
ValueFromPipeline = $True)]
[string[]]$computer
)
Begin {
#Create empty report
$report = @()
}
Process {
#Iterate through collection of computers
ForEach ($c in $computer) {
#Get explorer.exe processes
$proc = gwmi win32_process -computer $c -Filter "Name = 'explorer.exe'"
#Go through collection of processes
ForEach ($p in $proc) {
$temp = "" | Select Computer, Domain, User
$temp.computer = $c
$temp.user = ($p.GetOwner()).User
$temp.domain = ($p.GetOwner()).Domain
$report += $temp
}
}
}
End {
$report
}
}
The third method is made using the query sessions command line, which is available in Vista and above OS’s and on systems running Terminal Servers. Just using this command line will return a string value which does list out a nice amount of information sessiontype, username, active state of the session, etc…:
query session /server:"boe-laptop"
Image may be NSFW.
Clik here to view.
This is nice and all, but I would rather return an object that I can sort or export into a csv or something else. So with that I went and created this advanced function to parse the data and make into a more usable object:
Function Get-ComputerSessions {
<#
.SYNOPSIS
Retrieves tall user sessions from local or remote server/s
.DESCRIPTION
Retrieves tall user sessions from local or remote server/s
.PARAMETER computer
Name of computer/s to run session query against.
.NOTES
Name: Get-ComputerSessions
Author: Boe Prox
DateCreated: 01Nov2010
.LINK
https://boeprox.wordpress.org
.EXAMPLE
Get-ComputerSessions -computer "server1"
Description
-----------
This command will query all current user sessions on 'server1'.
#>
[cmdletbinding(
DefaultParameterSetName = 'session',
ConfirmImpact = 'low'
)]
Param(
[Parameter(
Mandatory = $True,
Position = 0,
ValueFromPipeline = $True)]
[string[]]$computer
)
Begin {
$report = @()
}
Process {
ForEach($c in $computer) {
# Parse 'query session' and store in $sessions:
$sessions = query session /server:$c
1..($sessions.count -1) | % {
$temp = "" | Select Computer,SessionName, Username, Id, State, Type, Device
$temp.Computer = $c
$temp.SessionName = $sessions[$_].Substring(1,18).Trim()
$temp.Username = $sessions[$_].Substring(19,20).Trim()
$temp.Id = $sessions[$_].Substring(39,9).Trim()
$temp.State = $sessions[$_].Substring(48,8).Trim()
$temp.Type = $sessions[$_].Substring(56,12).Trim()
$temp.Device = $sessions[$_].Substring(68).Trim()
$report += $temp
}
}
}
End {
$report
}
}
So now when I run this, I have my custom object that can be ran on multiple machines and list out much more information than my previous function.
Image may be NSFW.
Clik here to view.
The fourth and final way that I found to do this was using a freely available Terminal Services module, built by Shay Levi to query for user sessions. As you can see from the output, it works rather nicely.
Import-Module PSTerminalServices Get-TSSession -ComputerName "dc1"
Image may be NSFW.
Clik here to view.
As you can see, there are a variety of ways to gather information on user sessions on local and remote machines. Some are very basic, but will work from any workstation/server, while others contain more information, but may only be available on certain systems.
Filed under: powershell, scripts Tagged: accounts, Powershell, quickhits, sessions Image may be NSFW.
Clik here to view.
Image may be NSFW.Clik here to view.
Image may be NSFW.Clik here to view.
Image may be NSFW.Clik here to view.
Image may be NSFW.Clik here to view.
Image may be NSFW.Clik here to view.
Image may be NSFW.Clik here to view.
Image may be NSFW.Clik here to view.
