1

I would like to find a way to determine what workstations or servers a user account has logged into.

Is there a script that can scan a DC for this info?

Alternately, any PC a user has logged onto should have a user profile for them on it. Is there a way to scan for user profile folders? Although I suppose this wouldn't be perfect since the naming convention is not always the same.

Basically I just need to see if UserA has logged into any workstations or servers besides their own. Any other suggestions?

skinneejoe
  • 274
  • 2
  • 8
  • 20

2 Answers2

2

Unless you have an auditing product already in place there is no quick and easy way to do this. Here is what I have had to do in the past.

Find what workstations/servers a user has signed onto

The type of information you are looking for is not saved in the directory. The only way I know to do this without having a tool setup is to search the Security logs on all of your domain controllers. You are looking for Event ID 4624. Once you have your log filtered for this even run a find for the security ID you are questioning. For my domain the logs are in the form netbios\samAccountName. Logon Type 2 indicates interactive login (physically at a keyboard/mouse), logon type 3 indicates "impersonation" (for example, rdp). Under network information you should have the Workstation name and ip address.

Here is some more information on Event ID 4624: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4624

Searching for profiles on machines

Firstly, I highly recommend that you target very specific machines if you go this route. This will be very time consuming process and relies on a few conditions to exist to work. Namely you need to be an administrator on the target and the administrative shares need to be enabled (\computername\c$ for example).

You can try the following in powershell. Note you will need a list of machines (FQDN for each), the samAccountName of the user in question, and the netbios of the domain in question. This is a quick example for Windows 7+ based computers. Adding in additional paths is easy. The script will print out any computers the profile path was found on.

foreach($computer in $computers){
    $tempPath1 = "\\" + $computer + "\c$\Users\" + $samAccountName + "\"
    $tempPath2 = "\\" + $computer + "\c$\Users\" + $samAccountName + "." + $domainNetBios + "\"
    if((Test-Path $tempPath1) -or (Test-Path $tempPath2)){
        Write-Output $computer
    }
}

Extra Credit: Check the ACL of paths you find and see if the user is included.

EDIT: Here's another method for currently logged on sessions https://blogs.technet.microsoft.com/heyscriptingguy/2011/06/04/use-powershell-to-find-logon-sessions/

Eric Schnabel
  • 73
  • 1
  • 1
  • 4
0

You need list of computers&servers in csv now assume that person name is skyra you are looking for.

Get-Content C:\computers.csv | `

Select-Object @{Name='ComputerName';Expression={$_}},@{Name='FolderExist';Expression={ Test-Path "\\$_\c$\users\skyra"}}



you will see output like this

Computername  folderexists

skyra-pc          true

Hppc                false
DisplayName
  • 262
  • 4
  • 14