This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Community FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Need help with a query When computers are logged out of or locked for the day.

trevdelder
Engaged Sweeper

2 weeks ago

So this is for my team and I.  I worked in a closed environment which I have fewer users on my network than our corporate network does.  So I am trying to collect data so I can start my maintenance windows earlier than the 7:30 pm that corporate guys are doing and from home no less.  I am trying to figure out a query that will give me a report daily of times my users either lock their computers or log off of them.  If it wasn't just 2 of us working this network and the work load was a little better spread out, I wouldn't mind, but we are stuck here weather it is fixing something broken, Patch Tuesday or anything else.  Just needs to go out to each computer and see the logout or lock time for the day and can gather that data.  We have several people working, but the majority of the work is done on the corporate network and so some people don't log maybe once a week to check email.  Any help would be much appreciated.

0 Kudos
2 REPLIES 2
francisswest
Champion Sweeper

a week ago

First, you would need to enable auditing of these events on your Windows machines and then use Lansweeper to pull the event logs.

Here’s a PowerShell script that you can use to pull the relevant event logs:

# Define the event IDs for logoff and lock events
$logoffEventID = 4647
$lockEventID = 4800

# Get the event logs
$logoffEvents = Get-WinEvent -FilterHashtable @{Logname='Security'; ID=$logoffEventID}
$lockEvents = Get-WinEvent -FilterHashtable @{Logname='Security'; ID=$lockEventID}

# Create a custom object for each event and output it
$logoffEvents | ForEach-Object {
    [PSCustomObject]@{
        Time = $_.TimeCreated
        User = $_.Properties[1].Value
        Event = "Logoff"
    }
}

$lockEvents | ForEach-Object {
    [PSCustomObject]@{
        Time = $_.TimeCreated
        User = $_.Properties[1].Value
        Event = "Lock"
    }
}

This script will output a list of logoff and lock events with the time they occurred and the user who triggered them.  From there, I assume it would be possible to have Lansweeper look at the eventlog for your assets, find those eventIDs, then pipe them into a report for you.

That being said, you'd have to rescan the devices to get the most uptodate eventlog whenever you wanted the data.

 

Ill keep digging.

francisswest
Champion Sweeper

a week ago

A very interesting idea!  Let me see if I understand this right:

Your responsibility is a closed network, separate from the corporate network.  You have significantly less users, and you want to start your maintenance window sooner than the corporate team does.  You want to know when *your* users either lock their devices (presuming they are leaving for the day) or outright log off of their system.  

Couple of questions:

  1.  are any of 'your' users remote?  If so, would you want to include a 'disconnected' reference?
  2.  how many users are we talking; 10, 100, 1000?
  3.  how trusting are you of all users properly locking or logging off their systems?

In the meantime, I'll see what I can whip up.

New to Lansweeper?

Try Lansweeper For Free

Experience Lansweeper with your own data.
Sign up now for a 14-day free trial.

Try Now