Solved

Discover All PCs where a user has logged in from in Active Directory

Posted on 2007-11-14
3
236 Views
Last Modified: 2012-05-05
I recieved an email today informing me that some folders had "gone missing" from the main network share.  I was able to locate the files in question - it looked like someone had dragged and dropped them by mistake.  I asked the individual whose username appeared in the created by folder property and they have protested their innocence - i tend to believe them as if it had of been them they would have been straight round to me in a panic.

Before i jump to the conclusion that it was another person who just happened to be using the first individuals unlocked pc i wanted to know if there was any way of querying the AD to discover if the username was used to log on via a different machine and then the files moved.

(And before you start dont mention file security, best practices etc - i have been trying to get these implemented since i got here in feb but nothing can be done without a policy - which i have written - but is yet to be agreed by the bods above! )
0
Comment
Question by:joemcgrath
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 20279727
If I'm understanding you, you're looking for information about which user(s) have logged onto which PC(s) on your network.  Assuming that you have logging enabled on your workstations, you would need to query all workstations for logon events for the user in question - this information isn't stored centrally unless you have a third party log aggregating tool like MOM or something similar.
0
 

Author Comment

by:joemcgrath
ID: 20279812
I thought that the security log on the DCs would have the logon event information for each user?  Logging is switched on on all the pcs - suppose i better get started checking them!  Or is there anyway i can query them all remotely?
0
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 125 total points
ID: 20280508
If you have logging enabled for account logon success events on the DCs, you will see an Account logon event for every user who authenticates against the DC, but I've found mixed results as to whether it captures the machine name/IP address.  It's worth querying, but the more definitive answer will come from aggregating your workstation logs.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question