0

Is there any way to run a query in AD to check what PCs a user has logged into recently.

regards Mike

Ryan Fisher
  • 2,228
  • 16
  • 13

3 Answers3

3

As far as I am aware, AD does not keep a log of what PC's a user logged onto, the only thing it logs is the last logon time. This item is not synchronised across domain controllers either, so can be a little unreliable if you have multiple DC's, unless you poll all DC's to find the latest time.

You could enable logging of User Logon events in the security log, export the log to CSV and use this to generate the report you are after. This also suffers from the fact that logon information is only logged by the DC that processes the request, and is not synchronised between DC's, so you would need to get this data from all of your DC's.

The PsLoggedOn script will tell you what machines users are currently logged into, if that is any use to you.

Sam Cogan
  • 38,736
  • 6
  • 78
  • 114
  • 4
    AD does not store any list of the PCs a user has logged-on to. If you choose to use the security logs on your DCs to determine where users are logging-on, be aware that you need to monitor every security log on every DC because, technically, user logons can be processed by any DC. – Evan Anderson Oct 26 '09 at 15:43
  • Don't forget the Resource Kit Tool, eventcombmt.exe. It can easily be configured to contact all of your DCs and pull logon related audit data (there is even a pre-configured query for it). This is the simplest "git 'er done" approach. For more regular monitoring see products like SCCM, Quest Intrust, Splunk!, etc. – Ryan Fisher Apr 01 '10 at 17:29
  • If you're using Server 2008, and you have account auditing turned on for the Directory, you can search the various DC logs for Kerberos Authentication Service audit success/failures. You wan to find the "TGT" events (id 4768) as these are the initial Kerberos logon audits and will log the client source IP. – Ryan Fisher Apr 01 '10 at 17:41
0

there definately is a way, we currently have it setup with a script that runs when a user logs in, it pops the pc name and logon time in the notes under the telephones tab in AD.. I will find the script and will post it up....

Regards

0

Not aware of any way to do this directly with AD, but if you have any kind of machine auditing system this should be fairly easy.

We use SCCM (aka SMS) for software deployment, as well as various auditing, and use this script as a quick look at where people have logged in. The full Asset Inventory service gives you much more info than this, but this is quick and easy. It's not 100% reliable (particularly if the user has logged onto multiple machines in a short time frame) but we use this script which should do what you want:

'Central Site Server
strComputer = "***"
'Central Site Code
strSiteCode = "***"

'Get userID
strUserName = InputBox ("Enter User Name")

'Set up the connection String
Set objWMIService = GetObject("winmgmts://" & strComputer & "\root\sms\site_" & strSiteCode)
'Get info
Set colUser = objWMIService.ExecQuery("select SMS_G_System_COMPUTER_SYSTEM.Name, SMS_R_System.LastLogonUserName from  SMS_R_System inner join SMS_G_System_COMPUTER_SYSTEM on SMS_G_System_COMPUTER_SYSTEM.ResourceID = SMS_R_System.ResourceId where SMS_R_System.LastLogonUserName like '" & strUserName & "%'")
For Each objUser in colUser

LastUserName = ObjUser.SMS_R_System.LastLogonUserName
MachineName = ObjUser.SMS_G_System_COMPUTER_SYSTEM.Name

Next 

'Display info
MsgBox ("Last machine that "& LastUserName &" logged onto was "& vbcrlf & MachineName)
GAThrawn
  • 2,434
  • 3
  • 20
  • 38