Active Directory : User logon history

Forums › IT Pro and developers › Active Directory : User logon history

xpd

Geek of Coastguard
14115 posts

Uber Geek
+1 received by user: 4574

Retired Mod

ID Verified

Trusted

Lifetime subscriber

#143070 2-Apr-2014 15:12

Im more desktop rather than server else Id probably know this... :)

I need to find the logon history of a particular user, going back far as AD logs will let me - Ive had a look at quite a few different auditing tools but they either wont run, or dont offer me what I need.
I've been told to look at dsquery, which I have done, but makes little sense to me at the moment......

Can anyone give me a quickfire way of getting the information I need or am I stuffed ? :)

I have full access to the server/AD.

TIA

XPD / Gavin

LinkTree

gjm

810 posts

Ultimate Geek
+1 received by user: 122

#1017275 2-Apr-2014 15:23

I use EventCombMT for troubleshooting lockouts, sure you could do the same for auditing logons...have a read here http://windowsitpro.com/systems-management/take-advantage-eventcombmt-utility

My domain is 2003...not sure if it works on 2008 or 2012

Do surveys for Beer money (referral link) - Octopus Group

Link for buying beer (not affiliated, just like beer) - Good George

Lias

5655 posts

Uber Geek
+1 received by user: 3978

ID Verified

Trusted

Lifetime subscriber

#1017292 2-Apr-2014 15:51

Pretty sure your screwed for historical purposes, unless the organisation has actively setup auditing of logon events.

Off the top of my head I'd imagine that going forward you could rig something up. Enable success audit logging on every DC, and forward the events to a central location..

I'm a geek, a gamer, a dad, a Quic user, and an IT Professional. I have a full rack home lab, size 15 feet, an epic beard and Asperger's. I'm a bit of a Cypherpunk, who believes information wants to be free and the Net interprets censorship as damage and routes around it. If you use my Quic signup you can also use the code R570394EKGIZ8 for free setup. Opinions are my own and not the views of my employer.

xpd

Geek of Coastguard
14115 posts

Uber Geek
+1 received by user: 4574

Retired Mod

ID Verified

Trusted

Lifetime subscriber

#1017353 2-Apr-2014 16:41

Yeah, I'm thinking that. All these tools Ive downloaded today claim they can do it yet none have been able to.... oh well, looks like this project is going in the bin for now.

XPD / Gavin

LinkTree

Steve113

100 posts

Master Geek
+1 received by user: 3

#1017485 2-Apr-2014 19:51

What exactly are you trying to audit?
Windows natively is messy in tracking this.
Local logons may not be tracked so easily
With domain logons you could setup a powershell script that queries event logs of each DC in your environment for a logon type event.
You may need to be more particular with your time frames as DCs generally generate allot of logs and may not keep logs for long unless specified otherwise.

If you have Altiris or other database collection software you could look at authentication logs from there.

xpd

Geek of Coastguard
14115 posts

Uber Geek
+1 received by user: 4574

Retired Mod

ID Verified

Trusted

Lifetime subscriber

#1017635 3-Apr-2014 08:30

Trying to get historical login times for a user (When did they log into the office PC in the past few weeks/months ) - but appears going backwards is something Windows AD logging dosent do so well :) (Funny... MS Windows seems to go backwards every few release without an issue)

Ive got 1.5hrs left to find a solution ;)

XPD / Gavin

LinkTree