Who was logged in (active directory) at a particular time

Posted on 2007-10-07
Last Modified: 2013-11-29
i am wondering if it's possible to find out who was logged into a computer on a 2003 AD domain at a particular time. somebody stole a mobile phone that was sitting next to a computer after logging in and surfing the net for a while.

I have looked in the security event log on the domain controller but it doesn't go back far enough and the one on the computer is empty. is their any way to find out?

Question by:mwm83
    LVL 8

    Accepted Solution

    Do you have a backup (including system state) for the DC?  If so, restore back to a spare machine using a time closer to the incident.
    LVL 5

    Assisted Solution

    You can tell who logged onto that machine at a particluar time by looking in the security event viewer logs of the DC's (no backup required). If there is several DC's you may need to check more than one.
    LVL 70

    Assisted Solution

    If your security log does not go back far enough then you' ve had it, even with the security log its not that easy - though there are tools like Log Parser that can help

    It might be a good idea for the future to put a procedure in place for archivibng the security log ay intervals so that the data is there next time.

    This can easily be done by going into the security log on a regular basis and using "Save As", the file can then be exported to csv format and imported into your database/spreadsheet (where it is also easier to anaylse), before clearing the log.

    Featured Post

    Maximize Your Threat Intelligence Reporting

    Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

    Join & Write a Comment

    SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
    Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now