?
Solved

Get-WinEvent vs. Get-EventLog to get AD security log from multiple AD domain controllers ?

Posted on 2016-09-12
4
Medium Priority
?
328 Views
Last Modified: 2016-09-12
Hi All,

Can anyone here share some script or explanation how can I use Powershell Get-WinEvent or Get-EventLog to get some list of AD security event ?

I need the below information to see if any DOMAIN\Administrator account is in use or not anymore by anyone in my AD domain.

        Keywords: Audit Success
        Logon Type: 3
        Date: 13/09/2016 1:42:25 PM
        Security ID: Domain\Administrator
      Source Network Address: 10.188.15.19

Open in new window



Any help and suggestion would be greatly appreciated.
0
Comment
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 56

Assisted Solution

by:McKnife
McKnife earned 1000 total points
ID: 41794245
You should rather have a look at the attribute "last logon".
https://gallery.technet.microsoft.com/scriptcenter/Get-Active-Directory-user-246f17c7
1
 
LVL 40

Accepted Solution

by:
Subsun earned 1000 total points
ID: 41794335
To check if the account is in use or not you can check the Last Logon time as mentioned in McKnife.

Here is a good article which you can refer..
Ref : https://social.technet.microsoft.com/wiki/contents/articles/22461.understanding-the-ad-account-attributes-lastlogon-lastlogontimestamp-and-lastlogondate.aspx

If you want to check logs then you can You can use the Get-WinEvent, an example can be found from the question which I answered recently..
https://www.experts-exchange.com/questions/28967041/How-to-see-Event-ID-1149-using-powershell-or-cmd-the-names-and-IPs-successfully-logged-in-my-remote.html
1
 
LVL 8

Author Closing Comment

by:Senior IT System Engineer
ID: 41795481
Cool, thanks guys !
0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 41795483
@Subsun, Thanks for the help.

@McKnife too you rocks !
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Let's recap what we learned from yesterday's Skyport Systems webinar.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question