Determine logged on user on Windows computer from Linux
Solution 1
I found how to do this using Samba on the Linux computer.
I installed and configured Kerberos and Samba to access the domain. I modified /etc/samba/smb.conf
, /etc/krb5.conf
, and /etc/hosts
. I then used some net
commands from a script (net
is a command-line interface to Samba):
net rpc registry enumerate 'HKEY_USERS' -S xpcomputer.ad.company.com -U '[email protected]%password'
giving a list of the security identifiers for the users that are currently loaded in the registry:
Keyname = .DEFAULT
Modtime = Thu, 02 Dec 2010 14:31:14 EST
Keyname = S-1-5-19
Modtime = Thu, 02 Dec 2010 14:31:16 EST
Keyname = S-1-5-19_Classes
Modtime = Thu, 02 Dec 2010 14:31:16 EST
Keyname = S-1-5-20
Modtime = Thu, 02 Dec 2010 14:31:16 EST
Keyname = S-1-5-20_Classes
Modtime = Thu, 02 Dec 2010 14:31:16 EST
Keyname = S-1-5-21-8915387-325552579-1798637320-4573
Modtime = Fri, 03 Dec 2010 22:53:39 EST
Keyname = S-1-5-21-8915387-325552579-1798637320-7772
Modtime = Wed, 08 Dec 2010 07:51:26 EST
Keyname = S-1-5-21-8915387-325552579-1798637320-7772_Classes
Modtime = Wed, 08 Dec 2010 07:51:26 EST
Keyname = S-1-5-18
Modtime = Thu, 02 Dec 2010 14:31:14 EST
I then run the net ads sid
command to lookup active directory entries based on the user SID. This might only work for domain users; I'm not sure if it works for users logged on using a local account. It seems that if there are multiple SIDs, the only one that works is the one that has a corresponding "_Classes" entry.
net ads sid 'S-1-5-21-8915387-325552579-1798637320-7772' -W COMPANY -U '[email protected]%password'
This gives some errors, but still results in printing the user's entire Active Directory information. It is fairly slow, possibly due to the errors, so I might cache the SID-to-username mapping.
[2010/12/08 10:03:00, 0] libads/kerberos.c:882(create_local_private_krb5_conf_for_domain)
create_local_private_krb5_conf_for_domain: smb_mkstemp failed, for file /var/run/samba/smb_tmp_krb5.HpBqKJ. Errno Permission denied
[2010/12/08 10:03:02, 0] libads/kerberos.c:882(create_local_private_krb5_conf_for_domain)
create_local_private_krb5_conf_for_domain: smb_mkstemp failed, for file /var/run/samba/smb_tmp_krb5.BCzT0T. Errno Permission denied
Got 1 replies
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: [Lastname], [Firstname]
sn: [Lastname]
c: US
physicalDeliveryOfficeName: ...
telephoneNumber: ...
...(many more fields)...
mailNickname: FLastname
...
The mailNickname field contains the user name (at least for the users I have tested so far).
Solution 2
I found this question while looking for a solution to the exact same problem. Staring with Justin's answer above I finally came up with this bit of Perl. $Comp is the name of the computer we wish to interrogate.
$Res = `/usr/bin/net rpc registry enumerate 'HKEY_USERS' -S $Comp -U 'user\@domain\%password' | /bin/grep _Classes`;
# For this application we're only interested in one entry and don't care if there are more
$Res =~ /= (.+)_Classes/;
$Sid = $1;
$Res = `/usr/bin/net ads sid -W domain -I IP_address_of_DC -U 'user\@domain\%password' "$Sid"`;
$Res =~ /sAMAccountName: (.*)/;
$User = $1; # The user logon ID
$Res = `/usr/bin/net ads search "(sAMAccountName=$User)" -U 'user\@domain\%password'`;
$Res =~ /displayName: (.*)/;
# The user's display name, which is what we're after
$Name = $1;
If speed is an issue, as it was for Justin, check to ensure the realm and workgroup settings are correct in smb.conf.
Related videos on Youtube
Justin
Updated on September 17, 2022Comments
-
Justin over 1 year
How can I determine who is logged on to a remote Windows XP computer from Linux? I do not have administrator access on the domain or on the remote computer.
I can do it from a separate Windows computer using
PsLoggedOn -L \\computer
from PsToolsI've tried using
nmblookup -A remotecomputer
, but I only see entries for the computer and the domain, not a<03>
entry for the user.I've also tried running PsLoggedOn under wine; I get an error:
Connecting to Registry of \\computer.company.com... fixme:reg:RegConnectRegistryW Connect to L"computer.company.com" is not supported.
I started looking into winexe, but it looks like I would need administrative rights on the remote computer to get it working.
-
Dolanor over 11 yearsWith your current answer, How can you determine which of the HKEY_USERS of the computer are currently logged on ? I tried on my network with an AD, but the
net rpc registry
command doesn't give me a correct output : Keyname = d__(+ Classname = Modtime = Thu, 12 Oct 4461634 12:03:12 CET This is all the output I have. -
Justin over 11 yearsI don't know enough about the
net rpc registry
command to speculate why it would give such garbage output... I recommend you start a new question about it. -
Dolanor over 11 yearsI've found the problem. Red Hat linux, with an old hidden in the forest samba
net
tool which doesn't work with our AD/network/windows. I tested on a VirtualBox with ubuntu 12.04, and the net rpc registry works just fine. Thank you !
-
-
Justin over 13 yearsUnfortunately, I'm not able to install software on the remote computer. It is very tightly controlled since it is used to interface with some specialized equipment.