Boswell's Q&A

Finding Users on the Network

Use Winscl to find out which computers your users are logged onto.

• By Bill Boswell
• 07/08/2003

Bill: Could you tell me which command to use (if any) to find out to which
workstation a user is logged onto [using their logon ID].
—Gabe Bauer, New York

Gabe,
This turns out to be a tricky proposition. A user can be logged in from many workstations and each workstation may use a different domain controller for authentication. You end up with two bits of information you need: the IP addresses for any of the user’s logon workstations and the DNS or NetBIOS names that correspond to those addresses.

The fastest way to find the IP addresses is to look them up in WINS, which you can accomplish in a couple of ways. You can open the WINS console and select a server then filter the result set to the first letter of the user you’re trying to find. Once you locate the user, you can expand the filter to show the workstation names corresponding to the same IP address.

It’s simpler, though, to use Winscl, a command-line tool from the Windows 2000 Resource Kit. Winscl tool doesn’t provide a single command-line syntax. You have to navigate through a few prompts. Here’s the syntax to search for a user called User1 on a WINS server called W2K-WINS1:

C:\>winscl n nome
UNC name of machine -- w2k-wins1
qn user1 1 03 0

Get Help from Bill Got a Windows or Exchange question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to Bill at mailto:[email protected]; the best questions get answered in this column. When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message but submit the requested information for verification purposes.)

The n in the winscl line stands for Named Pipe. The nome stands for No Menu. The system prompts for a server name; here, enter the flat name. The qn in the next line stands for Query Name.

Here's what the numbers after the user name indicate:

1 – add the 16th byte for a service ID
03 – add the Messenger service
0 – no scope (a seldom-used NetBIOS feature)

The Winscl information dump shows this, including the IP address:

Name=(PHOENIXUSER10 )
NodeType=(3)
State=(ACTIVE)
TimeStamp=(Wed Jul 09 09:39:48)
OwnerId=(0)
Type Of Rec=(UNIQUE)
Version No (0 11ef)
Record is (DYNAMIC)
Address is (192.168.0.160)

You can use the SDB command in Winscl to show the other records that have the same IP address using this syntax:

Command -- sdb
Search by Address or Name (1 for Address, 0 for Name) -- 1
Address (dotted decimal) -- 192.168.0.160
Put records in wins.rec file (1 for yes, 0 for no) -- 0
Status returned is (SUCCESS - 0)
Searching records owned by 192.168.0.1

-----------------------

Name is (XP-PRO1        ). 16th char is (0)
NameLen is (17)
Type is (UNIQUE)
State is (ACTIVE)
Version No is (0 11c5)
Static flag is (0)
Timestamp is (Wed Jul 09 06:40:39)
IP Address is (192.168.0.160)

Skip past any user names or workstation names with Released status and find the workstation name with an Active status.

This technique works in real time but you need to keep the replication intervals in mind. It’s possible that a user might be logged on a domain controllers at two sites that point to two different WINS servers that haven’t fully replicated.