From experience, there have been plenty of occurrences when user leave their computer for prolonged periods, often with browsers open, and then come back to malware on their computer. Now, with the increase of credential theft exploits available, administrators need to take a proactive stance to avoid these potential risks to their environment.

From a best practices standpoint, regularly closing out sessions provides for a better user experience.

The below script will help you identify which systems have current sessions, the state of those sessions (active, idle), and when they were logged on. If the account is idle, it will provide how long. To understand the idle time, it shows as days + hours:minutes.

How to Use

Copy and paste the below script using your favorite text editor and save it as scan_sessions.ps1. This script should be run from a domain controller or system that has RSAT tools installed. It must run in an Administrative PowerShell session on an account that has logon rights to all systems it is targeting.

There is a parameter you have to use to run this script, which determines if you are targeting workstations, servers, or all windows systems.

Examples:
.\scan_sessions.ps1 -mode workstation
.\scan_sessions.ps1 -mode server
.\scan_sessions.ps1 -mode all

This script will output the results of the scan to scan_logons.txt where the script is located. The script will take time to run so be patient!

# -----------------------------------------------------------------
# Check for Current Sessions
# Created by: Christopher Clai - www.syntaxbearror.io
# -----------------------------------------------------------------
# Version 1.0 (August 5th, 2019)
# -----------------------------------------------------------------
#
# Example of running the script:
# .\scan_sessions.ps1 -mode[workstation|server|all] (define which type of system you want to scan)
#
#
# ##### CHANGELOG ########
# Version 1.0
# 
#
#

# Retrieve parameters if run on a single use.

    param (
	    [Parameter(Mandatory=$True,ValueFromPipeline=$True,ValueFromPipelineByPropertyName=$True,HelpMessage='Do you want to run this against workstations, servers, or all?')]
	    $mode
    )


Import-Module ActiveDirectory

# Record what we find.
Start-Transcript -Path "scan_logons.txt" -Append

# Determine what we are seeking today
if($mode -eq "all") {

    $servers = Get-ADComputer -Filter "OperatingSystem -like 'Windows'" -Properties * | Select Name | select -ExpandProperty Name

}
elseif ($mode -eq "server") {

    $servers = Get-ADComputer -Filter "OperatingSystem -like 'Windows *Server*'" -Properties * | Select Name | select -ExpandProperty Name
}
elseif ($mode -eq "workstation") {

    $servers = Get-ADComputer -Filter "OperatingSystem -like 'Windows *7*'" -Properties * | Select Name | select -ExpandProperty Name
    $servers += Get-ADComputer -Filter "OperatingSystem -like 'Windows *10*'" -Properties * | Select Name | select -ExpandProperty Name

}
else {

    Write-Host "Scan mode is not defined. We cannot continue."
    exit
}

ForEach ($server in $servers) {

 If(Test-Connection -BufferSize 32 -Count 1 -ComputerName $server -Quiet) {
    Write-Host "`r`n $server is Online. Checking logged on users...`r`n"

    quser /server $server | Out-Default


 }
 else
 {
    write-host "$server is not online... Checking next system...`r`n" 
 }                           

}

stop-transcript

Leave a Comment

Your email address will not be published. Required fields are marked *