04-17-2024 09:17 PM
I had a colleague suggest that Lansweeper was 'broken' based on the 'computers logged onto' section of an AD users summary page. In this case, he was looking at one of his own accounts, and this is an excerpt of the results:
The key here is that he certainly did not "Logon" to all of these computers at Noon today. In fact, while these were all servers he does manage, and logs into frequently, he had not been on most of these in the past few days. So, in fact the information shown here is misleading.
Now, based on what I know of how Lansweeper tracks user logons, I expect that the timestamp shown in the "Logon" column is actually NOT anything to do with logons, but is rather the "Last successful scan" timestamp of that asset. And, indeed, I checked a few of these systems, and the timestamps did match up. So, based on what I can find, this data represents one of the following:
Can anyone confirm my findings here, and possibly suggest why this information is presented as it is, and which of my suggested scenarios best describe the results? Is there ever a circumstance where the data shown here ever shows the timestamp of an actual logon event? Or is it always scan times? If so, I'd really like to see the column names updated to reflect what is actually shown.
Thoughts? I just like to have decent answers when I'm asked these types of questions.
04-25-2024 09:45 PM - edited 04-25-2024 09:50 PM
I apologize if I came across as snarky; that was not my intention. I was simply hoping for a more definitive answer. And while, yes, I could open a support ticket, I thought this may actually be an interesting topic for discussion here.
I have seen the article you reference (and agree that Esben is a super-nice guy), and in fact I have used this as a reference internally to inform our IS staff of how Lansweeper works. But I have found that the values in the 'Windows computers logged onto" doesn't exactly line up. In fact, I did some verification today just to confirm.
In this case, I checked the my own account in Lansweeper and looked at the 'Windows computers logged onto' information. It indicated that I had logged into three servers today; I have, in fact, not logged into any of these servers today. I have checked the event logs on our DCs to confirm, and they do not show any evidence of my logging in to any of those systems today, in any way. I checked that 'Lastlogondate' for one of those servers in AD, and it showed that the last logon on that server was from two days ago. Since we have a strict forced logoff after inactivity policy, I know that I was not 'logged on' when this server was scanned today. So, the question remains ... what exactly does the 'Logon' date represent here? It is not the most recent scan time of the asset, and it does not represent a real login time for the user, so what does it represent?
This may sound pedantic, and I accept that. My point isn't to find the real login times for a user or system; we have lots of tools to do that, and I have made our staff know that Lansweeper is NOT a tool for that sort of data. Rather, my intention is to see if anyone has a more definitive answer we could pass on to Lansweeper, possibly as an enhancement. Currently, the data shown in this box is confusing and possibly misleading, and I'm looking for opportunities to see what we can improve.
I should probably mention that we are running v11.1.10.5, so this is recent information.
04-18-2024 04:41 PM - edited 04-18-2024 04:41 PM
I'm pretty sure it's the currently logged on user at the time of scan. I use that information to make a report for still-logged-on engineers that have exception to the auto-logoff GPO to shame them 🙂
04-24-2024 04:40 PM
Yeah, but I'm 'pretty sure' that is NOT what this represents since the logon times do NOT correspond to a time when anyone is actively logged in to these assets. We have policies in place to actively log out users on the servers after a period of inactivity (only a couple of hours), and the admin who brought this up to me knew that he had not logged on to the assets in scope for several days. And this is consistent across multiple assets and users. Hence this post to get some clarification on this item.
So thanks for the response, but I'm hoping for something a little more definitive. 🙂
04-24-2024 04:49 PM - edited 04-24-2024 05:27 PM
you can enter a support ticket if you want something definitive, but that's the way it should work, unless there's a bug in a newer version of the app - i'm on 11.1.5.1 and it is working as intended. I tend to say 'pretty sure' so I don't get anyone angry at me if I'm incorrect, which obviously failed in this case. In this scenario, I generally either log on to the server/machine in question and verify (if its a one-off case) and see the logged-on or disconnected user as expected, or, I run https://learn.microsoft.com/en-us/sysinternals/downloads/psloggedon
You can also reference: https://community.lansweeper.com/t5/reports-analytics/active-directory-user-last-logon/td-p/31109 "However, by default Lansweeper will only scan which user was logged in at the time of the Lansweeper scan." This post was by Esben - who is a LS employee and more importantly a super-nice guy.
Experience Lansweeper with your own data. Sign up now for a 14-day free trial.
Try Now