Domain Admins last logon time audit report

I need a report showing the last logon time for all members of the Domain Admins account group.  Ideally it would also include account status info (disabled/enabled, expired date..).  

This shouldn't be difficult but after spending 5 hours playing with ADUC saved queries and SCOM ACS (which we have fully functional), I'm pulling my hair out.  Any advise at how to get at this data easily and repeatedly?

 
tc100yearsAsked:
Who is Participating?
 
Mike KlineConnect With a Mentor Commented:
Give adfind a shot by top MVP Joe Richards
http://www.joeware.net/freetools/tools/adfind/index.htm
adfind -default -f "&(objectcategory=person)(objectclass=user)(memberof=DN of your domain admin group)" samaccountname lastlogontimestamp -tdc -csv  > c:\AdminsLastLogon.csv
That will give you a csv file on your C drive with the lastlogon info for your domain admins.  Your domain has to be at W2K3 functional level for lastlogontimestamp to work.
If you need to quickly find the DN of your domain admin group use
adfind -sc g: "domain admins" dn
Thanks
Mike
0
 
Premkumar YogeswaranAnalyst II - System AdministratorCommented:
In this case you can use the 3rd party software Check this software..!
http://www.quest.com/changeauditor-for-active-directory/

Change auditor is the software useing in our org.
It is good and powerful sofware to track and audit the changes in Active directory
0
 
Premkumar YogeswaranAnalyst II - System AdministratorCommented:
This software is also used in many other purpose in AD
http://www.quest.com/active-directory/
0
Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

 
Premkumar YogeswaranAnalyst II - System AdministratorCommented:
0
 
jgpdCommented:
we are using dumpsec  it is free  and very easy  to handle
you can find it here :
http://www.systemtools.com/somarsoft/?somarsoft.com
0
 
tc100yearsAuthor Commented:
Igpd,
How do I limit the DumpSec to just the Domain Admins group?  
0
 
jgpdCommented:
I did not see any filtering option, but if you select group on the available fields , you can import as csv  file open on excel and filtering as you want
Regards,
Jose
0
 
bsharathCommented:
Use this script as a logon script. It will record all admin activity henceforth.

Change the UNC path\
You will get the From machine and user name and To machine also...

strLogFile = "\\sm\logs\DomainAdminLogonActivity.txt"
Set objFSO = CreateObject("Scripting.FileSystemObject")
Const intForAppending = 8
Set objNetwork = CreateObject("WScript.Network")
Set objShell = CreateObject("WScript.Shell")
If LCase(objNetwork.UserName) = "administrator" Then
	Set objFile = objFSO.OpenTextFile(strLogFile, intForAppending, True)
	If Left(UCase(objShell.ExpandEnvironmentStrings("%SESSIONNAME%")), 3) = "RDP" Then
		objFile.WriteLine Now & vbTab & objShell.ExpandEnvironmentStrings("%CLIENTNAME%") & " accessed " & objNetwork.ComputerName & vbTab & objNetwork.UserName & vbTab & GetConsoleUser(objShell.ExpandEnvironmentStrings("%CLIENTNAME%"))
	Else
		objFile.WriteLine Now & vbTab & objNetwork.ComputerName & vbTab & objNetwork.UserName
	End If
End If
 
Function GetConsoleUser(strComputer)
	' Returns name of user logged on to console 
	' If no users are logged on, returns "" 
	On Error Resume Next
	Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
	Set colProc = objWMIService.ExecQuery("Select Name from Win32_Process Where Name='explorer.exe'") 
	strConsoleUser = ""
	For Each objProcess In colProc 
		lngReturn = objProcess.GetOwner(strUser, strDomain) 
		If lngReturn = 0 Then 
			strConsoleUser = strUser
		End If
	Next
	If Err.Number <> 0 Then strConsoleUser = "<ERROR>"
	Err.Clear
	On Error GoTo 0
	GetConsoleUser = strConsoleUser
End Function

Open in new window

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.