The concept of logon is not the same as it is in UNIX or Mainframes. You don't necessarily have a hard connection to a
machine. It is better to think of the domain controllers as authenticating you versus logging you in. When a person logs
on to a PC, depending on how many resources on different servers they have the domain controller could authenticate them
multiple times, once for each different server they have to touch.
So when you look at a Domain Controller, you can look through the event log to see who has been authenticated (as long
as auditing is enabled) but it won't tell you who is currently still online. Also you will usually see multiple
authentications right together for the same person. If you want to know who has a hard connection to a domain controller
on the spot you can enumerate the netbios sessions open the domain controller as that will tell you who currently has a
connection to the DC. However note that people could be "logged on" that don't have hard connections to the DC currently
because they timed out.
The event log stuff can be found at
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/debug/base/readeventlog.asp which is the link for the
ReadEventLog API call.
The info for session enumeration can be found at
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netmgmt/netmgmt/netsessionenum.asp - NetSessionEnum.
To see logon sessions on a specific machine (say a workstation) check out
http://msdn.microsoft.com/library/d...curity/security/lsaenumeratelogonsessions.asp -
LsaEnumerateLogonSessions
