query/extract from AD users (members of 2 AD groups) who login due their membership of 1 of the group

I have a group of about 50 users whose AD Id are members of 2 domain groups :
"Payment Staff" as well as "Domain Users" :
to be able to login to a group of sensitive payment PCs (about 15 of them), they need to be member of "Payment Staff" while for any other general PCs (to read emails, browse Internet etc), just being a member of "Domain Users" is enough.

Basically on the 15 PCs'  local "Users" group, I've removed "Domain Users" & added "Payment Staff" to "Users" group to effect this control.

Audit wants me to review the 50 users dormancy & dates/timings they login to the sensitive payment PCs, so is there any way I could assess if they have authenticated using the role that they're granted membership of "Payment Staff" ??   I'm not Wintel-trained so my request may sound odd.

Is there any PowerShell command or tool to query the AD to get a list of the "MEPS Staff" users who login to the 15 PCs
(with date & time) by the criteria that they managed to login due to their "MEPS Staff" membership, while excluding those records where they login by the fact that they are members of "Domain Users" ??

Or this is something that I can only extract from the 15 PCs'  event viewer logs ??  This decentralized method will mean more effort once the # of PCs group & have to send these decentralized logs to a common location for me to pick up
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Gopi RajuSystem EngineerCommented:
Run the below commands in AD powershell to get the list of users in the particular groups on AD.

Import-Module ActiveDirectory
Get-ADGroupMember -identity “Name of Group” | select name | Export-csv -path C:\Output\Groupmembers.csv -NoTypeInformation

Then on each PC (15 PC's) run the following command to get the list of logged users.
(Get-WMIObject -ComputerName (computername) -class Win32_ComputerSystem | select username).username

And then filter the data as per your requirements.
Please verify the below articles if you have any doubts.
Kevin StanushApplication DeveloperCommented:
The short answer to this is, no, there isn't any command that is going to get this information for you.  The WMI command linked above will only show you who is currently logged onto a computer.  It won't show any history, or what group was used to log on with.

If you have auditing turned on (for the domain), you can get from the audit log the history information, but it will require a script, and it is sort of complicated and time consuming to run, depending on how large your organization is.  The problem though is I don't think the audit log will show the group that provided the user the right to use these computers.  I believe that Windows does not store anywhere the information on what group/token portion was used to grant access.   The company to ask about this would be Netwrix, so you may want to contact their pre-sales/support and ask them.

Auditors ask for stuff all of the time that isn't possible.  One alternative would be to run tests to see if a domain user can use these computers instead of trying to audit the usage.   Or, and this won't help looking back, would be to run a script at logon that will log this information to a simple text file, which bypasses the complicated/dumb event log stuff, and includes just the information you want. But again, it won't show what group gave the person access.

I may be wrong about the group member access point, so maybe another expert can chime in.
Jose Gabriel Ortega CastroCEOCommented:
I have never seen such a requirement before.

You can see who was the last login time (I've personally worked on this and get the last logon user and time).
Giving it a shot into TechNet I've found this:

Maybe that could work. But the truth is, that is not possible to get the membership of a user in login time, and you just should allow the login into those computers in a schedule and to the group that needs using a GPO
Here's an example of how to do so: http://www.rebeladmin.com/2014/06/use-of-group-policies-to-control-log-on-hours-to-the-network/

But I have never heard of anything like it before, so the most secure thing is that you can get the information using a logon script that records the time and user like Kevin said. And about Gopi's answer it finds the users on a group and you need to find out or do a text file with the name of the 15 computers, so you can have who was the last person to log in, but windows doesn't have any historical data.

What I just thinking about it is that you can go to event viewer using PowerShell...
and Find the EventID: =4624  (that's a login)
and look for the event 4647  (for a logoff).
And you need the logic to correlate the login with logoff (if any).

Source of the ID: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4647

This way with the event viewer you could try to build some historical data

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

David Johnson, CD, MVPOwnerCommented:
what I do is use logon /logoff scripts that execute simple batch files
for /f "Tokens=2 Delims=[]" %%i in ('ping -n 1 "%computername%"') do set IP=%%i
echo %username% logged ON %computername%, IP=%IP% @ %time% %date% >> \\servername\sharename$\%username%.txt

Open in new window

echo %username% logged OFF %computername% @ %time% %date% >> \\servername\sharename$\%username%.txt 

Open in new window

for /f "Tokens=2 Delims=[]" %%i in ('ping -n 1 "%computername%"') do set IP=%%i
echo Started up, IP=%IP% @ %time% %date% >> \\servername\computers$\%computername%.txt

Open in new window

echo Shutdown @ %time% %date% >> \\servername\computers$\%computername%.txt

Open in new window

you could change these to output csv's if so desired
echo "Shutdown," %time%,%date% >> \\servername\computer$\%computername%.csv just have to initialize the files with the csv header

sunhuxAuthor Commented:
For David Johnson's scripts, are these run centrally from an AD or one single computer or the scripts need to be embedded into each of the 15 PCs & if on each of the 15 PCs, whereabout to embed it?
sunhuxAuthor Commented:
The script from Jose will give me a superset of what I needed: let me discuss with our AD admin if he's agreeable to this
David Johnson, CD, MVPOwnerCommented:
scripts, are these run centrally from an AD the scripts reside in SYSVOL and write to a network share. they are executed by every machine that has the logon script has the gpo applied to.
sunhuxAuthor Commented:
Thanks David.

 Maybe that could work. But the truth is, that is not possible to get the membership of a user in login time,
For Jose's solution, does the script has to be run on the AD or Domain Ctrler server itself?  I don't need the
membership, as I have the 15 PC's IP addresses & I could filter them out as those 15 PCs are now enforced
such that that AD group's users could login to them, effectively I could review based on that 15 PCs who
logged in & who don't : for those who don't, I could do manually pick up.
sunhuxAuthor Commented:
If we have a pair of clustered DC, do we run that script on both or just one of them?
So as not to overload the primary DC, I tot of running on the passive DC
sunhuxAuthor Commented:
Unfortunately, our DCs are still running PowerShell Ver 2 so can't support that PS1 script.

Is there any equivalent cmd or VB or wmic commands that could do the same extraction?
sunhuxAuthor Commented:

Is above script run on the AD itself or we can run it on any PCs in the domain?
Do we need domain admin to run this script?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.