Need help with a query When computers are logged out of or locked for the day.

trevdelder · ‎05-10-2024

So this is for my team and I. I worked in a closed environment which I have fewer users on my network than our corporate network does. So I am trying to collect data so I can start my maintenance windows earlier than the 7:30 pm that corporate guys are doing and from home no less. I am trying to figure out a query that will give me a report daily of times my users either lock their computers or log off of them. If it wasn't just 2 of us working this network and the work load was a little better spread out, I wouldn't mind, but we are stuck here weather it is fixing something broken, Patch Tuesday or anything else. Just needs to go out to each computer and see the logout or lock time for the day and can gather that data. We have several people working, but the majority of the work is done on the corporate network and so some people don't log maybe once a week to check email. Any help would be much appreciated.

trevdelder · 3 weeks ago

All computers are either hardwired on this particular network is hardwired, I have about 150-200 users and we have DISA STIGS set so after 10 minutes the computer locks anyway. Annoying yes, but everyone here are dayworkers and I am trying to collect enough data so that our team of 2 does not have to come in any later than we have to or stay extra 30 mins if everyone is logging of this system earlier. I really do appreciate the help.

francisswest · ‎05-10-2024

First, you would need to enable auditing of these events on your Windows machines and then use Lansweeper to pull the event logs.

Here’s a PowerShell script that you can use to pull the relevant event logs:

# Define the event IDs for logoff and lock events
$logoffEventID = 4647
$lockEventID = 4800

# Get the event logs
$logoffEvents = Get-WinEvent -FilterHashtable @{Logname='Security'; ID=$logoffEventID}
$lockEvents = Get-WinEvent -FilterHashtable @{Logname='Security'; ID=$lockEventID}

# Create a custom object for each event and output it
$logoffEvents | ForEach-Object {
    [PSCustomObject]@{
        Time = $_.TimeCreated
        User = $_.Properties[1].Value
        Event = "Logoff"
    }
}

$lockEvents | ForEach-Object {
    [PSCustomObject]@{
        Time = $_.TimeCreated
        User = $_.Properties[1].Value
        Event = "Lock"
    }
}

This script will output a list of logoff and lock events with the time they occurred and the user who triggered them. From there, I assume it would be possible to have Lansweeper look at the eventlog for your assets, find those eventIDs, then pipe them into a report for you.

That being said, you'd have to rescan the devices to get the most uptodate eventlog whenever you wanted the data.

Ill keep digging.

francisswest · ‎05-10-2024

A very interesting idea! Let me see if I understand this right:

Your responsibility is a closed network, separate from the corporate network. You have significantly less users, and you want to start your maintenance window sooner than the corporate team does. You want to know when *your* users either lock their devices (presuming they are leaving for the day) or outright log off of their system.

Couple of questions:

are any of 'your' users remote? If so, would you want to include a 'disconnected' reference?
how many users are we talking; 10, 100, 1000?
how trusting are you of all users properly locking or logging off their systems?

In the meantime, I'll see what I can whip up.

Need help with a query When computers are logged out of or locked for the day.

New to Lansweeper?

Try Lansweeper For Free