?
Solved

Discover All PCs where a user has logged in from in Active Directory

Posted on 2007-11-14
3
Medium Priority
?
247 Views
Last Modified: 2012-05-05
I recieved an email today informing me that some folders had "gone missing" from the main network share.  I was able to locate the files in question - it looked like someone had dragged and dropped them by mistake.  I asked the individual whose username appeared in the created by folder property and they have protested their innocence - i tend to believe them as if it had of been them they would have been straight round to me in a panic.

Before i jump to the conclusion that it was another person who just happened to be using the first individuals unlocked pc i wanted to know if there was any way of querying the AD to discover if the username was used to log on via a different machine and then the files moved.

(And before you start dont mention file security, best practices etc - i have been trying to get these implemented since i got here in feb but nothing can be done without a policy - which i have written - but is yet to be agreed by the bods above! )
0
Comment
Question by:joemcgrath
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 20279727
If I'm understanding you, you're looking for information about which user(s) have logged onto which PC(s) on your network.  Assuming that you have logging enabled on your workstations, you would need to query all workstations for logon events for the user in question - this information isn't stored centrally unless you have a third party log aggregating tool like MOM or something similar.
0
 

Author Comment

by:joemcgrath
ID: 20279812
I thought that the security log on the DCs would have the logon event information for each user?  Logging is switched on on all the pcs - suppose i better get started checking them!  Or is there anyway i can query them all remotely?
0
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 375 total points
ID: 20280508
If you have logging enabled for account logon success events on the DCs, you will see an Account logon event for every user who authenticates against the DC, but I've found mixed results as to whether it captures the machine name/IP address.  It's worth querying, but the more definitive answer will come from aggregating your workstation logs.
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
Here's a look at newsworthy articles and community happenings during the last month.
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question