Solved

Discover All PCs where a user has logged in from in Active Directory

Posted on 2007-11-14
3
225 Views
Last Modified: 2012-05-05
I recieved an email today informing me that some folders had "gone missing" from the main network share.  I was able to locate the files in question - it looked like someone had dragged and dropped them by mistake.  I asked the individual whose username appeared in the created by folder property and they have protested their innocence - i tend to believe them as if it had of been them they would have been straight round to me in a panic.

Before i jump to the conclusion that it was another person who just happened to be using the first individuals unlocked pc i wanted to know if there was any way of querying the AD to discover if the username was used to log on via a different machine and then the files moved.

(And before you start dont mention file security, best practices etc - i have been trying to get these implemented since i got here in feb but nothing can be done without a policy - which i have written - but is yet to be agreed by the bods above! )
0
Comment
Question by:joemcgrath
  • 2
3 Comments
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 20279727
If I'm understanding you, you're looking for information about which user(s) have logged onto which PC(s) on your network.  Assuming that you have logging enabled on your workstations, you would need to query all workstations for logon events for the user in question - this information isn't stored centrally unless you have a third party log aggregating tool like MOM or something similar.
0
 

Author Comment

by:joemcgrath
ID: 20279812
I thought that the security log on the DCs would have the logon event information for each user?  Logging is switched on on all the pcs - suppose i better get started checking them!  Or is there anyway i can query them all remotely?
0
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 125 total points
ID: 20280508
If you have logging enabled for account logon success events on the DCs, you will see an Account logon event for every user who authenticates against the DC, but I've found mixed results as to whether it captures the machine name/IP address.  It's worth querying, but the more definitive answer will come from aggregating your workstation logs.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Resolve DNS query failed errors for Exchange
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

832 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question