query/extract from AD users (members of 2 AD groups) who login due their membership of 1 of the group

I have a group of about 50 users whose AD Id are members of 2 domain groups :
"Payment Staff" as well as "Domain Users" :
to be able to login to a group of sensitive payment PCs (about 15 of them), they need to be member of "Payment Staff" while for any other general PCs (to read emails, browse Internet etc), just being a member of "Domain Users" is enough.

Basically on the 15 PCs'  local "Users" group, I've removed "Domain Users" & added "Payment Staff" to "Users" group to effect this control.

Audit wants me to review the 50 users dormancy & dates/timings they login to the sensitive payment PCs, so is there any way I could assess if they have authenticated using the role that they're granted membership of "Payment Staff" ??   I'm not Wintel-trained so my request may sound odd.

Is there any PowerShell command or tool to query the AD to get a list of the "MEPS Staff" users who login to the 15 PCs
(with date & time) by the criteria that they managed to login due to their "MEPS Staff" membership, while excluding those records where they login by the fact that they are members of "Domain Users" ??


Or this is something that I can only extract from the 15 PCs'  event viewer logs ??  This decentralized method will mean more effort once the # of PCs group & have to send these decentralized logs to a common location for me to pick up
sunhuxAsked:
Who is Participating?
 
Jose Gabriel Ortega CConnect With a Mentor CEO J0rt3g4 Consulting ServicesCommented:
I have never seen such a requirement before.

You can see who was the last login time (I've personally worked on this and get the last logon user and time).
Giving it a shot into TechNet I've found this:
https://gallery.technet.microsoft.com/scriptcenter/Get-All-AD-Users-Logon-9e721a89

Maybe that could work. But the truth is, that is not possible to get the membership of a user in login time, and you just should allow the login into those computers in a schedule and to the group that needs using a GPO
Here's an example of how to do so: http://www.rebeladmin.com/2014/06/use-of-group-policies-to-control-log-on-hours-to-the-network/

But I have never heard of anything like it before, so the most secure thing is that you can get the information using a logon script that records the time and user like Kevin said. And about Gopi's answer it finds the users on a group and you need to find out or do a text file with the name of the 15 computers, so you can have who was the last person to log in, but windows doesn't have any historical data.

What I just thinking about it is that you can go to event viewer using PowerShell...
and Find the EventID: =4624  (that's a login)
and look for the event 4647  (for a logoff).
And you need the logic to correlate the login with logoff (if any).

Source of the ID: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4647

This way with the event viewer you could try to build some historical data
https://technet.microsoft.com/en-us/library/ee176846.aspx?f=255&MSPPError=-2147217396
1
 
Gopi RajuConnect With a Mentor System AnalystCommented:
Run the below commands in AD powershell to get the list of users in the particular groups on AD.

Import-Module ActiveDirectory
Get-ADGroupMember -identity “Name of Group” | select name | Export-csv -path C:\Output\Groupmembers.csv -NoTypeInformation

Then on each PC (15 PC's) run the following command to get the list of logged users.
(Get-WMIObject -ComputerName (computername) -class Win32_ComputerSystem | select username).username

And then filter the data as per your requirements.
Please verify the below articles if you have any doubts.
https://gallery.technet.microsoft.com/scriptcenter/Get-All-AD-Users-Logon-9e721a89
https://social.technet.microsoft.com/Forums/lync/en-US/ead6e3f4-8ed3-4cd9-8a9d-e9038792cda8/how-to-get-the-list-of-all-ad-computers-with-last-logged-in-user-name?forum=winserverDS
1
 
Kevin StanushConnect With a Mentor Application DeveloperCommented:
The short answer to this is, no, there isn't any command that is going to get this information for you.  The WMI command linked above will only show you who is currently logged onto a computer.  It won't show any history, or what group was used to log on with.

If you have auditing turned on (for the domain), you can get from the audit log the history information, but it will require a script, and it is sort of complicated and time consuming to run, depending on how large your organization is.  The problem though is I don't think the audit log will show the group that provided the user the right to use these computers.  I believe that Windows does not store anywhere the information on what group/token portion was used to grant access.   The company to ask about this would be Netwrix, so you may want to contact their pre-sales/support and ask them.

Auditors ask for stuff all of the time that isn't possible.  One alternative would be to run tests to see if a domain user can use these computers instead of trying to audit the usage.   Or, and this won't help looking back, would be to run a script at logon that will log this information to a simple text file, which bypasses the complicated/dumb event log stuff, and includes just the information you want. But again, it won't show what group gave the person access.

I may be wrong about the group member access point, so maybe another expert can chime in.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
David Johnson, CD, MVPConnect With a Mentor OwnerCommented:
what I do is use logon /logoff scripts that execute simple batch files
logon.bat
for /f "Tokens=2 Delims=[]" %%i in ('ping -n 1 "%computername%"') do set IP=%%i
echo %username% logged ON %computername%, IP=%IP% @ %time% %date% >> \\servername\sharename$\%username%.txt

Open in new window

logoff.bat
echo %username% logged OFF %computername% @ %time% %date% >> \\servername\sharename$\%username%.txt 

Open in new window


startup.bat
for /f "Tokens=2 Delims=[]" %%i in ('ping -n 1 "%computername%"') do set IP=%%i
echo Started up, IP=%IP% @ %time% %date% >> \\servername\computers$\%computername%.txt

Open in new window


shutdown.bat:
echo Shutdown @ %time% %date% >> \\servername\computers$\%computername%.txt

Open in new window


you could change these to output csv's if so desired
i.e.
echo "Shutdown," %time%,%date% >> \\servername\computer$\%computername%.csv just have to initialize the files with the csv header

https://community.spiceworks.com/scripts/show/70-track-login-and-logout
1
 
sunhuxAuthor Commented:
For David Johnson's scripts, are these run centrally from an AD or one single computer or the scripts need to be embedded into each of the 15 PCs & if on each of the 15 PCs, whereabout to embed it?
0
 
sunhuxAuthor Commented:
The script from Jose will give me a superset of what I needed: let me discuss with our AD admin if he's agreeable to this
0
 
David Johnson, CD, MVPConnect With a Mentor OwnerCommented:
scripts, are these run centrally from an AD the scripts reside in SYSVOL and write to a network share. they are executed by every machine that has the logon script has the gpo applied to.
0
 
sunhuxAuthor Commented:
Thanks David.


https://gallery.technet.microsoft.com/scriptcenter/Get-All-AD-Users-Logon-9e721a89
 Maybe that could work. But the truth is, that is not possible to get the membership of a user in login time,
For Jose's solution, does the script has to be run on the AD or Domain Ctrler server itself?  I don't need the
membership, as I have the 15 PC's IP addresses & I could filter them out as those 15 PCs are now enforced
such that that AD group's users could login to them, effectively I could review based on that 15 PCs who
logged in & who don't : for those who don't, I could do manually pick up.
0
 
sunhuxAuthor Commented:
If we have a pair of clustered DC, do we run that script on both or just one of them?
So as not to overload the primary DC, I tot of running on the passive DC
0
 
sunhuxAuthor Commented:
Unfortunately, our DCs are still running PowerShell Ver 2 so can't support that PS1 script.

Is there any equivalent cmd or VB or wmic commands that could do the same extraction?
0
 
sunhuxAuthor Commented:
https://gallery.technet.microsoft.com/scriptcenter/Get-All-AD-Users-Logon-9e721a89

Is above script run on the AD itself or we can run it on any PCs in the domain?
Do we need domain admin to run this script?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.