Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Discover All PCs where a user has logged in from in Active Directory

Posted on 2007-11-14
3
Medium Priority
?
259 Views
Last Modified: 2012-05-05
I recieved an email today informing me that some folders had "gone missing" from the main network share.  I was able to locate the files in question - it looked like someone had dragged and dropped them by mistake.  I asked the individual whose username appeared in the created by folder property and they have protested their innocence - i tend to believe them as if it had of been them they would have been straight round to me in a panic.

Before i jump to the conclusion that it was another person who just happened to be using the first individuals unlocked pc i wanted to know if there was any way of querying the AD to discover if the username was used to log on via a different machine and then the files moved.

(And before you start dont mention file security, best practices etc - i have been trying to get these implemented since i got here in feb but nothing can be done without a policy - which i have written - but is yet to be agreed by the bods above! )
0
Comment
Question by:joemcgrath
  • 2
3 Comments
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 20279727
If I'm understanding you, you're looking for information about which user(s) have logged onto which PC(s) on your network.  Assuming that you have logging enabled on your workstations, you would need to query all workstations for logon events for the user in question - this information isn't stored centrally unless you have a third party log aggregating tool like MOM or something similar.
0
 

Author Comment

by:joemcgrath
ID: 20279812
I thought that the security log on the DCs would have the logon event information for each user?  Logging is switched on on all the pcs - suppose i better get started checking them!  Or is there anyway i can query them all remotely?
0
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 375 total points
ID: 20280508
If you have logging enabled for account logon success events on the DCs, you will see an Account logon event for every user who authenticates against the DC, but I've found mixed results as to whether it captures the machine name/IP address.  It's worth querying, but the more definitive answer will come from aggregating your workstation logs.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Let's recap what we learned from yesterday's Skyport Systems webinar.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question