Hi Andrew, these are my mods to audit.vbs for now: [code] ''''''''''''''''''''''''''' ' Mapped Drives ' ''''''''''''''''''''''''''' ' This commented code lists only current users's mapped drives
'if audit_location = "l" then ' comment = "Mapped Drives Info" ' Echo(comment) ' On Error Resume Next ' Set colItems = objWMIService.ExecQuery("Select * from Win32_LogicalDisk ",,48) ' For Each objItem in colItems ' if Left(objItem.ProviderName,2)="\\" then ' form_input = "mapped^^^" & clean(objItem.DeviceID) & "^^^" _ ' & clean(objItem.FileSystem) & "^^^" _ ' & int(Round(objItem.FreeSpace /1024 /1024 /1024 ,1)) & "^^^" _ ' & clean(objItem.ProviderName) & "^^^" _ ' & int(Round(objItem.Size /1024 /1024 /1024 ,1)) & "^^^" ' entry form_input,comment,objTextFile,oAdd,oComment ' form_input = "" ' end if ' Next 'end if
comment = "Mapped Drives Info" Echo(comment) On Error Resume Next
'Searching the registry for stored profiles strKeyPath = "" oReg.EnumKey HKEY_USERS, strKeyPath, arrSubKeys For Each subkey In arrSubKeys ' Filtering out some well-known SIDs Select Case subkey Case ".DEFAULT" Case "S-1-5-18" 'Local System Case "S-1-5-19" 'Local Service Case "S-1-5-20" 'Network service Case Else If Instr(subkey, "_Classes") = 0 Then 'Searching for mapped drives 'Echo("SID: " & subkey) strKeyPath2 = subkey & "\Network" oReg.EnumKey HKEY_USERS, strKeyPath2, arrSubKeys2 For Each subkey2 in arrSubKeys2 If subkey2 <> "" Then 'Found mapped drive 'Searching for the username matching the SID Set colItems = objWMIService.ExecQuery("Select Name, Domain from Win32_UserAccount where SID = '" & subkey & "'",,48) If colItems <> "" Then ' Found user For Each objItem in colItems MapUserName = objItem.Domain & "\" & objItem.Name Next Else 'Searching the registry for user info strKeyPath3 = subkey & "\Software\Microsoft\Windows\CurrentVersion\Explorer" oReg.GetStringValue HKEY_USERS, strKeyPath3, "Logon User name", MapUserName strKeyPath4 = subkey & "\Volatile Environment" oReg.GetStringValue HKEY_USERS, strKeyPath4, "USERDNSDOMAIN", MapUserDomain MapUserName = MapUserName & "@" & MapUserDomain End If Echo ("MapUserName: " & MapUserName) 'Reading mapped drive details DeviceId = subkey2 strKeyPath5 = strKeyPath2 & "\" & subkey2 oReg.GetStringValue HKEY_USERS, strKeyPath5, "RemotePath", ProviderName oReg.GetStringValue HKEY_USERS, strKeyPath5, "UserName", ConnectAs Echo("DeviceID: " & DeviceId) Echo("ProviderName: " & ProviderName) Echo("ConnectAs: " & ConnectAs) FileSystem = "" FreeSpace = "" Size = "" form_input = "mapped^^^" & DeviceID & "^^^" & FileSystem & "^^^" & FreeSpace & "^^^" _ & ProviderName & "^^^" & Size & "^^^" entry form_input,comment,objTextFile,oAdd,oComment form_input = "" End If 'subkey2 <> "" Next 'subkey2 in arrSubKeys2 End If 'Instr(subkey, "_Classes") = 0 End Select Next ' subkey In arrSubKeys
[/code] Take a look at what is displayed on screen during the "mapped drives info": we are retrieving: - each user who has persistent mapped drives for his/her profile - the drive letter assigned to the mapped resource - the UNC remote path - the user account name used to connect If it's OK we could: - delete the "audit_location" value from the audit.config file (it's no more needed) - drop "mapped_file_system", "mapped_free_space" and "mapped_size" columns from the "mapped" table (or leave them there, but we don't use them) - add "mapped_username" and "mapped_connect_as" columns to the "mapped" table - modify accordingly system_viewdef_os.php and include_menu_array.php
_________________ Edoardo
|