Finding Users on the Network

Use Winscl to find out which computers your users are logged onto.

Bill: Could you tell me which command to use (if any) to find out to which
workstation a user is logged onto [using their logon ID].
—Gabe Bauer, New York

This turns out to be a tricky proposition. A user can be logged in from many workstations and each workstation may use a different domain controller for authentication. You end up with two bits of information you need: the IP addresses for any of the user’s logon workstations and the DNS or NetBIOS names that correspond to those addresses.

The fastest way to find the IP addresses is to look them up in WINS, which you can accomplish in a couple of ways. You can open the WINS console and select a server then filter the result set to the first letter of the user you’re trying to find. Once you locate the user, you can expand the filter to show the workstation names corresponding to the same IP address.

It’s simpler, though, to use Winscl, a command-line tool from the Windows 2000 Resource Kit. Winscl tool doesn’t provide a single command-line syntax. You have to navigate through a few prompts. Here’s the syntax to search for a user called User1 on a WINS server called W2K-WINS1:

C:\>winscl n nome
UNC name of machine -- w2k-wins1
qn user1 1 03 0

Get Help from Bill

Got a Windows or Exchange question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to Bill at; the best questions get answered in this column.

When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message but submit the requested information for verification purposes.)

The n in the winscl line stands for Named Pipe. The nome stands for No Menu. The system prompts for a server name; here, enter the flat name. The qn in the next line stands for Query Name.

Here's what the numbers after the user name indicate:

1 – add the 16th byte for a service ID
03 – add the Messenger service
0 – no scope (a seldom-used NetBIOS feature)

The Winscl information dump shows this, including the IP address:

TimeStamp=(Wed Jul 09 09:39:48)
Type Of Rec=(UNIQUE)
Version No (0 11ef)
Record is (DYNAMIC)
Address is (

You can use the SDB command in Winscl to show the other records that have the same IP address using this syntax:

Command -- sdb
Search by Address or Name (1 for Address, 0 for Name) -- 1
Address (dotted decimal) --
Put records in wins.rec file (1 for yes, 0 for no) -- 0
Status returned is (SUCCESS - 0)
Searching records owned by


Name is (XP-PRO1        ). 16th char is (0)
NameLen is (17)
Type is (UNIQUE)
State is (ACTIVE)
Version No is (0 11c5)
Static flag is (0)
Timestamp is (Wed Jul 09 06:40:39)
IP Address is (

Skip past any user names or workstation names with Released status and find the workstation name with an Active status.

This technique works in real time but you need to keep the replication intervals in mind. It’s possible that a user might be logged on a domain controllers at two sites that point to two different WINS servers that haven’t fully replicated.

About the Author

Contributing Editor Bill Boswell, MCSE, is the principal of Bill Boswell Consulting, Inc. He's the author of Inside Windows Server 2003 and Learning Exchange Server 2003 both from Addison Wesley. Bill is also Redmond magazine's "Windows Insider" columnist and a speaker at MCP Magazine's TechMentor Conferences.

comments powered by Disqus

Reader Comments:

Sat, Sep 11, 2010 kidney infection symptoms

I agree with Anonymous that NBSTAT only works if the messenger service is turn on.

Fri, Jun 25, 2010 SEO Services canada

Don't know what is wrong what is rite but i know that every one has there own point of view and same goes to this one..

Fri, Apr 30, 2010

From any windows xp or above computer joined to the active directory domain, type the following from a command prompt. And yes, you need the quotes or it won't work.

net view | find "username"

Wed, Feb 21, 2007 Anonymous Anonymous

i think NBSTAT only works if the messenger service is on though..

Mon, Jan 16, 2006 khizar pakistan

r u here

Thu, Nov 24, 2005 Anuar Kazakhstan

Not for environment with WINS disabled.
I belive there are 2 steps to resolve the issue:
1. Query DCs and find on which one user logged last time.
2. Query Security Log of found DC for computer name (Domain admin privileges required).

Tue, Apr 19, 2005 DH Anonymous

Yes this is good if you have WINS installd but in a 2000 and 2003 DNS environment we don't have many options. Lets try to be current and update for the new OS's.

Fri, Jan 21, 2005 Anonymous Anonymous

This works great if you still have WINS running on your network... Mine doesn't have WINS, netbios is disabled, and even if you did enable it, you can't use the "net send" or nbtstat commands because the messenger service is disabled on all the PCs. There has to be a better way of doing this instead of relying on old Windows NT technology.

Sun, Nov 23, 2003 Anonymous Anonymous

several students at a local university were using this very method to find friends on campus. The sys admin decided this was hacking activity and they were expelled. Be cautious???

Thu, Jul 17, 2003 Dean Mitchener London

Good to know the nuts and bolts way of doing things - Thanks Henko

The sysinternals is also a nice solution as well as the winscl. Definitely solve the problem with these suggestions.

Wed, Jul 16, 2003 Alexis Baghdad

Good info. Didn't know about. I am sure that in some point I will be using this trick.

Mon, Jul 14, 2003 Gabe New York

Thanks all, this is a great place to find help...

Fri, Jul 11, 2003 Anonymous Anonymous

make it more for a newb. I am a fairly decent admin able to perform all functions to run 32 server server farm. WTF is this though.

Wed, Jul 9, 2003 Anonymous Anonymous

Did not know about the Winscl command. I have been using NBTSTAT in a similar way to Henko.

Wed, Jul 9, 2003 Richard M.

Good info site for different ideas to try

Tue, Jul 8, 2003 Henko TerBlanche Lower Manhattan, New York, NY, USA

The following isn't a perfect solution, but I've found it useful on many an occasion, especially since I had no rights to the WINS servers at some big companies I've worked at:

1. Open DOS / Command Prompt. Type “NET SEND USERNAME blah”
2. This should use regular NetBIOS name resolution to find the IP address where the Messenger service for that USERNAME is currently registered, and attempt to send NET SEND message.
3. If all goes well you should se a “The message was successfully sent to USERNAME.” message.
4. Now run “NBTSTAT -c” which “Lists NBT's cache of remote [machine] names and their IP addresses”, and amongst other things, should show you the IP address of the computer where that user’s USERNAME is currently registered via the Messenger service.
5. Optional step to determine the computername: “NBTSTAT -A IP-Address-determined-in-step-4".

Tue, Jul 8, 2003 Anonymous Anonymous

We still use NBT. I use a tool called nbtscan to find out who's logged on where. Scan the whole subnet, direct output to a textfile, and search for the username in the text file.
I'd be really interested to find out how this is done on a non-WINS, non-NBT network, though. Something with reverse lookups in DNS?

Tue, Jul 8, 2003 Anonymous Anonymous

The messenger (03h) entry only gets entered for the first machine the user is logged into. Wins will not register an entry for subesquent logins by the same user. So you will only be able to find one (the first) machine they are logged on to.

Tue, Jul 8, 2003 Fred Boston

This is great but we disabled WINS and disabled NetBIOS over TCPIP over a year ago...

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.