joemcgrath
asked on
Discover All PCs where a user has logged in from in Active Directory
I recieved an email today informing me that some folders had "gone missing" from the main network share. I was able to locate the files in question - it looked like someone had dragged and dropped them by mistake. I asked the individual whose username appeared in the created by folder property and they have protested their innocence - i tend to believe them as if it had of been them they would have been straight round to me in a panic.
Before i jump to the conclusion that it was another person who just happened to be using the first individuals unlocked pc i wanted to know if there was any way of querying the AD to discover if the username was used to log on via a different machine and then the files moved.
(And before you start dont mention file security, best practices etc - i have been trying to get these implemented since i got here in feb but nothing can be done without a policy - which i have written - but is yet to be agreed by the bods above! )
Before i jump to the conclusion that it was another person who just happened to be using the first individuals unlocked pc i wanted to know if there was any way of querying the AD to discover if the username was used to log on via a different machine and then the files moved.
(And before you start dont mention file security, best practices etc - i have been trying to get these implemented since i got here in feb but nothing can be done without a policy - which i have written - but is yet to be agreed by the bods above! )
LauraEHunterMVP
If I'm understanding you, you're looking for information about which user(s) have logged onto which PC(s) on your network. Assuming that you have logging enabled on your workstations, you would need to query all workstations for logon events for the user in question - this information isn't stored centrally unless you have a third party log aggregating tool like MOM or something similar.
ASKER
I thought that the security log on the DCs would have the logon event information for each user? Logging is switched on on all the pcs - suppose i better get started checking them! Or is there anyway i can query them all remotely?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.