Track Primary User v2.8
Log In or Register to download the BES file, and more.

0 Votes

Description

The "Primary User" of an endpoint is the user who has logged on most frequently in a given history window (e.g. the past 10 logins).

This task monitors each login and records the most recent logins.  This information is stored in the following registry values:

[HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats\LoggedIn]
[HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats\LastLoggedInUser]
[HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats\LastTime]
[HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats\LogonHistory]
[HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats\PrimaryUser]

Note:  This task will not run on domain controllers.

Note:  This task will be set as a policy and will run following each logon.


Property Details

ID2533
StatusProduction - Fully Tested and Ready for Production
TitleTrack Primary User v2.8
DomainBESC
CategoryPolicy
Download Size0
SourceCustom
Source SeverityCustom
Source Release Date10/10/2007 12:00:00 AM
KeywordsPrimary User, Windows, Owner
Is TaskTrue
Added by on 7/11/2013 8:55:02 PM
Last Modified by on 7/11/2013 9:01:27 PM
Counters 5663 Views / 144 Downloads
User Rating 1 star 2 star 3 star 4 star 5 star * Average over 0 ratings. ** Log In or Register to add your rating.

Relevance

Used in 1 fixlet   * Results in a true/false
Show indented relevance
(exists logged on users) AND (((it contains "win2000" OR it contains "winxp" OR it contains "win2003" OR it contains "winvista" OR it contains "win2008" OR it contains "win7") of (name of operating system as lowercase)) AND product type of operating system != nt domain controller product type) AND ((not exists value "LoggedIn" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats" of registry) OR (value "LoggedIn" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats" of registry != (exists logged on users whose (active of it)) as string) OR (if (exists values "LogonHistory" of keys "HKLM\Software\BigFix\EnterpriseClient\userstats" of registry) then (value "LogonHistory" of keys "HKLM\Software\BigFix\EnterpriseClient\userstats" of registry as string does not contain (maximum of time values of selects "starttime from win32_logonsession where (LogonType=2 OR LogonType=10)" of wmi) as string) else TRUE))

Actions

Action 1 (default)

Action Link Click  here  to deploy this action.
Script Type BigFix Action Script
regset "[HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats]" "LoggedIn"="{exists logged on users whose (active of it)}"
regset "[HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats]" "LastLoggedInUser"="{tuple string item 0 of concatenation ", " of items 0 of ((item 0 of item 1 of it, item 1 of item 0 of it) of ((it,((preceding texts of firsts "%22" of following texts of firsts "Name=%22" of it, preceding texts of firsts "%22" of following texts of firsts ".LogonId=%22" of it) of ((following texts whose (number of substrings "|" of it is 1) of substrings "|" of preceding texts whose (number of substrings "|" of it mod 2 is 0) of substrings "|" of it) of ("|" & (concatenation "|" of (string values of selects "* from Win32_LoggedOnUser" of wmi)) & "|")))) of ((preceding texts of firsts "|" of it, following texts of firsts "|" of it) of ((following texts whose (number of substrings "|" of it is 1) of substrings "|" of preceding texts whose (number of substrings "|" of it mod 2 is 0) of substrings "|" of it) of ("|" & (concatenation "|" of ((if (it as string contains "LogonId") then (string values of it) else if (it as string contains "StartTime") then (time values of it as string) else "") of (selects "StartTime, LogonId from Win32_LogonSession where (LogonType=2 OR LogonType=10)" of wmi))) & "|")))) whose (item 0 of item 0 of it = item 1 of item 1 of it)) whose (item 1 of it = (maximum of time values of selects "starttime from win32_logonsession where (LogonType=2 OR LogonType=10)" of wmi as string))}"
regset "[HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats]" "LastTime"="{maximum of time values of selects "starttime from win32_logonsession where (LogonType=2 OR LogonType=10)" of wmi}"
regset "[HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats]" "LogonHistory"="{if (exists logged on users whose (active of it)) then (if (exists values "LogonHistory" of keys "HKLM\Software\BigFix\EnterpriseClient\userstats" of registry) then ((if (value "LogonHistory" of keys "HKLM\Software\BigFix\EnterpriseClient\userstats" of registry as string contains (maximum of time values of selects "starttime from win32_logonsession where (LogonType=2 OR LogonType=10)" of wmi as string)) then ("") else ("::" & (tuple string item 0 of concatenation ", " of items 0 of ((item 0 of item 1 of it, item 1 of item 0 of it) of ((it,((preceding texts of firsts "%22" of following texts of firsts "Name=%22" of it, preceding texts of firsts "%22" of following texts of firsts ".LogonId=%22" of it) of ((following texts whose (number of substrings "|" of it is 1) of substrings "|" of preceding texts whose (number of substrings "|" of it mod 2 is 0) of substrings "|" of it) of ("|" & (concatenation "|" of (string values of selects "* from Win32_LoggedOnUser" of wmi)) & "|")))) of ((preceding texts of firsts "|" of it, following texts of firsts "|" of it) of ((following texts whose (number of substrings "|" of it is 1) of substrings "|" of preceding texts whose (number of substrings "|" of it mod 2 is 0) of substrings "|" of it) of ("|" & (concatenation "|" of ((if (it as string contains "LogonId") then (string values of it) else if (it as string contains "StartTime") then (time values of it as string) else "") of (selects "StartTime, LogonId from Win32_LogonSession where (LogonType=2 OR LogonType=10)" of wmi))) & "|")))) whose (item 0 of item 0 of it = item 1 of item 1 of it)) whose (item 1 of it = (maximum of time values of selects "starttime from win32_logonsession where (LogonType=2 OR LogonType=10)" of wmi as string))) & ";;" & (maximum of time values of selects "starttime from win32_logonsession where (LogonType=2 OR LogonType=10)" of wmi as string))) & (if (not exists value "LogonHistory" of keys "HKLM\Software\BigFix\EnterpriseClient\userstats" of registry) then "" else (concatenation of (("::" & item 0 of it & ";;" & item 1 of it) of (((items 0 of it, items 1 whose (it as time > (now - 7 * day)) of it) of ((preceding texts of firsts ";;" of it, following texts of firsts ";;" of it) of (substrings separated by "::" whose (it != "") of (value "LogonHistory" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats" of registry as string))))))))) else ("::" & (tuple string item 0 of concatenation ", " of items 0 of ((item 0 of item 1 of it, item 1 of item 0 of it) of ((it,((preceding texts of firsts "%22" of following texts of firsts "Name=%22" of it, preceding texts of firsts "%22" of following texts of firsts ".LogonId=%22" of it) of ((following texts whose (number of substrings "|" of it is 1) of substrings "|" of preceding texts whose (number of substrings "|" of it mod 2 is 0) of substrings "|" of it) of ("|" & (concatenation "|" of (string values of selects "* from Win32_LoggedOnUser" of wmi)) & "|")))) of ((preceding texts of firsts "|" of it, following texts of firsts "|" of it) of ((following texts whose (number of substrings "|" of it is 1) of substrings "|" of preceding texts whose (number of substrings "|" of it mod 2 is 0) of substrings "|" of it) of ("|" & (concatenation "|" of ((if (it as string contains "LogonId") then (string values of it) else if (it as string contains "StartTime") then (time values of it as string) else "") of (selects "StartTime, LogonId from Win32_LogonSession where (LogonType=2 OR LogonType=10)" of wmi))) & "|")))) whose (item 0 of item 0 of it = item 1 of item 1 of it)) whose (item 1 of it = (maximum of time values of selects "starttime from win32_logonsession where (LogonType=2 OR LogonType=10)" of wmi as string))) & ";;" & (maximum of time values of selects "starttime from win32_logonsession where (LogonType=2 OR LogonType=10)" of wmi as string))) else (value "LogonHistory" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats" of registry as string)}"
regset "[HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats]" "PrimaryUser"="{if (exists (key "HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats" whose (exists value "LogonHistory" of it) of registry)) then (item 0 of ((items 0 whose ((concatenation of (unique values whose ((multiplicity of it = (maximum of multiplicities of unique values of preceding texts of firsts ";;" of substrings separated by "::" of (value "LogonHistory" of key "HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats" of registry as string)))) of preceding texts of firsts ";;" of substrings separated by "::" of (value "LogonHistory" of key "HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats" of registry as string)) as string) contains it) of it, items 1 whose (it as time = maximum of (((following texts of firsts ";;" of it) of (substrings separated by "::" whose (it != "") of (value "LogonHistory" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats" of registry as string))) as time)) of it) of (((preceding texts of firsts ";;" of it, following texts of firsts ";;" of it) of (substrings separated by "::" whose (it != "") of (value "LogonHistory" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats" of registry as string)))))) else "N/A"}"
Success Criteria

This action will be considered successful when the applicability relevance evaluates to false.


Sharing

Social Media:
Share this page on Yammer

Comments

Log In or Register to leave comments!
jgstew -
See this alternative, particularly the last 2 : https://bigfix.me/analysis/details/2995831
fcruson -
Yep, I am running 9.1 and getting the same error -shucks
mkearns -
I'm still using 8.2 and ran into an import error, see below: "The content is 'Track_Primary_User_v2.8.bes' could not be imported. XML parsing error: Error parsing "as boolean database. The element 'AllowCancel' with value " failed to parse. Line 74, Character 40"
hp -
Original by Ben Kus. Modified to capture TS and other remote sessions (instead of just console logins) by Aram Eblighatian. Modified to handle Win7 and 64-bit by Harry Penner.