Win32_LogonSession (Vista/2008)

Hi,

I enumerate associators of Win32_logonSession on XP/2003 and I can see
interactive users logged in with their domain accounts. I can also see RDP
sessions.

I enumerate associators of Win32_logonSession on Vista/2008 and I can ONLY
see local accounts such as SYSTEM and LOCAL SERVICE.

For code examples see Torgeir's example here

http://www.ureader.com/message/1436360.aspx

I would like to know a reliable way to get interactive logon and RDP
sessions using WMI on Vista/2008. Any ideas?


--
Gerry Hickman
London (UK)

After further testing, there is more to it. We have two domains in twoforests.

After further testing, there is more to it. We have two domains in two
forests.

In the domain that has Win2003 DCs we can use WMI to see Logon Sessions for
all users on XP/2003/Vista and 2008.

In the domain that has Win2008 DCs we can NOT use WMI to see Logon Sessions
for domain users on any o/s. BUT if we run WMI from the same machine we are
logged into, we can then see all Logon Sessions.

The issue therefore appears to be remote WMI when used in our Win2008
domain...

Good morning Gerry!

Good morning Gerry!

Could you please try out the sample code in this article and let me know
the test result?

http://blogs.msdn.com/alejacma/archive/2008/03/04/how-to-get-the-logged-on-u
ser-with-wmi-vbscript.aspx

(if the long URL is truncated by the newsgroup system, please concat it)

The code  gets the user who has logged on a given machine with VBScript &
WMI.


Regards,
Jialiang Ge  (jialge@online.microsoft.com, remove 'online.')
Microsoft Online Community Support

=================================================
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg@microsoft.com.

This posting is provided "AS IS" with no warranties, and confers no rights.
=================================================

Hello Jialiang,Thank you for the help with this.

Hello Jialiang,

Thank you for the help with this. When I run the code in the article, I get
exactly the same results. Targeting servers in the Win2003 domain show
interactive domain users correctly. Targeting servers in the Win2008 domain
finds sessions, but does not map them to domain users - I just get a list of

Did you read the comments in that blog? It seems they are seeing exactly the
same problem.

Gerry Hickman wrote:I now wonder if there is a double hop issue, the chain

I now wonder if there is a double hop issue, the chain would look
something like this

WMI_Client->WMI_Server->AD

The WMI client contacts the WMI server and asks for Win32_LogonSession,
the server then maps Win32_LogonSession to Win32_Account as follows

class Win32_LoggedOnUser : CIM_Dependency
{
Win32_Account ref Antecedent;
Win32_LogonSession ref Dependent;
};

BUT

If the target account is a domain account, the WMI server will have to
contact AD (we assume) to get the account details. Unless the AD is
configured to allow ANONYMOUS access to user accounts, I do not see how
the WMI server can obtain the data used to populate the instance of
Win32_Account...



--
Gerry Hickman (London UK)

Hello GerryI am performing researches on this issue and will update you soon.

Hello Gerry

I am performing researches on this issue and will update you soon.

Regards,
Jialiang Ge  (jialge@online.microsoft.com, remove 'online.')
Microsoft Online Community Support

=================================================
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg@microsoft.com.

This posting is provided "AS IS" with no warranties, and confers no rights.
=================================================

Hi Jialiang,I have an update on this.

Hi Jialiang,

I have an update on this.

I have traced the problem to the point where it tries to obtain user
accounts from the Win2008 domain. It looks like it is trying to connect to
AD as ANONYMOUS and fails. I can reproduce the problem without
Win32_LogonSession. I can simply request a Win32_Account object and see the
failure.

var oUser = oSvc.Get("Win32_Account.Domain='OLD',Name='Gerry'); //works
local and remote
var oUser = oSvc.Get("Win32_Account.Domain='NEW',Name='Gerry'); // fails
remote

Domain 'OLD' is Win2003
Domain 'NEW' is Win2008

I do not know how to solve this; it appears that remote WMI relies on
ANONYMOUS access in order to populate the Win32_Account class?

When we run WMI on the local box, we do not see the problem because it can
use impersonation.

This does not only affect Logon Sessions, it also has implications when
viewing ACLs on remote servers.

There must be a security setting on the Win2003 domain that is "weaker" than
on the Win2008 system, but I am not sure which setting. It would help to know
what mechanism WMI is using to obtain the user accounts from the domain
(e.g. WinNT provider).

--
Gerry Hickman
London (UK)

Hello GerryThanks for your efforts.

Hello Gerry

Thanks for your efforts. I am still discussing this with the product team. I
will update you about the findings on our side.

Regards,
Jialiang Ge  (jialge@online.microsoft.com, remove 'online.')
Microsoft Online Community Support

=================================================
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg@microsoft.com.

This posting is provided "AS IS" with no warranties, and confers no rights.
=================================================

Hi Jialiang,Thank you for contacting the product team about this.

Hi Jialiang,

Thank you for contacting the product team about this. Were you able to
reproduce the problem, using the simple code to .Get a Win32_Account
instance via a remote machine against a Win2008 domain?



--
Gerry Hickman (London UK)

Hello GerryI found some relevant product issue report on my side.

Hello Gerry

I found some relevant product issue report on my side. According to their
log, PG is going to fix it in future release of OS.

I also find this workaround proposed by a community member. This seems the
best workaround that I have found so far. Please let me know whether it
works for you.

sub GetLogin(strComputer)

dim objWMIService
dim objEnum
dim obj
dim outParams

Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")

set objEnum = objWMIService.execQuery("select __relpath from win32_process
where
caption = 'explorer.exe'")


If objEnum.Count <> 0 then
for each obj in objEnum
set outParams = obj.ExecMethod_("GetOwner")
wscript.echo strcomputer & ": " & outParams.User
next
End If

end sub

Regards,
Jialiang Ge  (jialge@online.microsoft.com, remove 'online.')
Microsoft Online Community Support

=================================================
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg@microsoft.com.

This posting is provided "AS IS" with no warranties, and confers no rights.
=================================================

Thank you for getting this answer from the product group, but it is not avery

Thank you for getting this answer from the product group, but it is not a
very helpful answer from them.

1. It does not explain why we see different behavior on Win2003/Win2008.
2. It does not clarify which o/s are affected, or what they mean by "future
release of OS", this could mean Windows 8?

I have carried out more tests with a Win32_Account instance on a remote
machine, and it is not able to obtain data from the Win2008 domain. This is a
serious problem.


Thanks, I have tested the work-around, but it is quite limited compared with
Win32_LogonSession, for example we want to view only RDP sessions, or only
interactive sessions. But this is no longer important, the issue above with
Win32_Account is a much bigger problem.


--
Gerry Hickman
London (UK)

Hello GerrySorry for my late response. I sent an email about this case to you.

Hello Gerry

Sorry for my late response. I sent an email about this case to you. Could
you please check your mailbox?

Regards,
Jialiang Ge  (jialge@online.microsoft.com, remove 'online.')
Microsoft Online Community Support

=================================================
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg@microsoft.com.

This posting is provided "AS IS" with no warranties, and confers no rights.
=================================================