How to find which DC authenticated a user

When a user log onto domain, where can I find which DC authenticated through kerberos in DC event log?
I see only the user IP, workstation hostname, user name, but no DC information?
from client, I can issue %logonserver% or nltest /dsgetdc:sea. But I need to get a report what DC authenticated who. How can I update this information?

Also, if the user is home office user through VPN, it doesn't seem the logon event is even being recorded in DC's security event log.
For VPN users, how can I trace which DC authenticate which user?

DC: Windows Server 2012
Sites and Services are implemented.
Sungpill HanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jose Gabriel Ortega CEE Solution Guide - CEO Faru Bonon ITCommented:
I can think of in 3 ways:
1. In cmd => echo %logonserver%
2. In Cmd with the domain name    => nltest /DSGETDC:<domainname>"
3. Powershell Script: https://gallery.technet.microsoft.com/Powershell-Script-checks-4a8fe0ee

You can only log that, after the user is logged, so it can be a script deployed as a scheduled tasks that handles the logging into a CSV file, (it can be deployed using GPO).
About the VPN part, it's really hard to know, because the users is being authenticated using the Network hardware thru AD, not directly in AD as a local computer.

And about getting the report you would need another script that you run it when you need it, and read the CSV or (several CSVs) file that is being created daily and then create the HTML output using PowerShell, that's one solution that i can think of.
1
Sungpill HanAuthor Commented:
logonserver and nltest only shows logon DC on single client computer.
How can I get list of client computer-DCname pair list? In DC's security log, it doesn't show what DC authenticated users, but only IP, username, client computer name.

Thanks for the link to the script. I already using script to get info from enumerating DCs for Lastlogon attribute value of a user. But this will give only most recent logon DC. I need a log which shows which DC authenticated a user yesterday or even in further past period. Isn't this possible without AD audit software?
0
Lee W, MVPTechnology and Business Process AdvisorCommented:
Add to the login script for all users (assuming batch) a line like:
echo %date%,%time%,%username%,%logonserver% >> \\server\share\path\you\want\to\login-log.csv

Whenever a user is authenticated, it will record an entry in the login-log.csv file.  Open that file in excel and you have a filterable log for everyone, every computer, with date and time stamps.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Lee W, MVPTechnology and Business Process AdvisorCommented:
You MAY also be able to enable Auditing and collect information from the appropriate logs to determine what you're looking for.
Audit logon events
https://technet.microsoft.com/en-us/library/cc976395.aspx
0
Jose Gabriel Ortega CEE Solution Guide - CEO Faru Bonon ITCommented:
lee proposed a "startup" bat script. that could work.
with that information in CSV, you are able to load it into PowerShell and since they are objects, you can sort them the what you want and then construct the HTML.

You can also create the CSV using PowerShell.
For example to get the ipconfig (ip) using PowerShell you can use https://gallery.technet.microsoft.com/office/IPConfig-Like-Powershell-49ca7f05

#loadIP
$ip=$( $(.\Get-IpInfo.ps1).IPAddress)
#test the file
$CsvPath = "\\JGI5\CloudData\t1.log"
if(!(Test-Path $CsvPath)){
    "Date,Time,ip,hostname,username,DCLogon" | Out-File "$CsvPath"
}
add-content -path  $CsvPath -value "$(Get-Date -f "dd/MM/yyyy,hh:mm:ss"),$ip,$env:computername,$env:username,$env:LOGONSERVER"

Open in new window


The script linked is used in this solution and should be in the same folder
0
arnoldCommented:
The GPO user Jose provided shoukd be a login script.


If you want this proactive, what resources do youhave?
You could centralize (event forwarding) and use splunk.

Using powershell you can pull the security log, dc's by default log login/logout vents to determine...

To what end? Are you troubleshooting an issue that a user who shoukd not be able to logon, does?
To determine the health of the ad, use dcdiag to validate all Dcs in the environment are in sync.
0
Naveen SharmaCommented:
Check out PsLoggedOn.

If you are on DC locally just use powershell:
Get-WmiObject Win32_LoggedOnUser | Select Antecedent -Unique

Open in new window

get-loggedonuser -computername DC

Open in new window


Also, you can use the task manager to to see whose logged in.

Windows Server – How to identify which domain controller authenticated a user:
https://www.interfacett.com/blogs/windows-server-how-to-identify-which-domain-controller-authenticated-a-user/

How to audit the successful or failed logon and logoff attempts in the network using the audit policies:
https://www.lepide.com/blog/audit-successful-logon-logoff-and-failed-logons-in-activedirectory/

You can create Logon/Logoff Script GPO that points to your two batch files. User Configuration --> Windows Settings -->Scripts

Logon.bat

echo Logon %date%,%time%,%computername%,%username%,%sessionname%,%logonserver% >> <INSERT PATH TO LOGON.LOG>

Logoff.bat

echo Logoff %date%,%time%,%computername%,%username%,%sessionname%,%logonserver% >> <INSERT PATH TO LOGOFF.LOG>
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Sungpill HanAuthor Commented:
Everyone, Thank you for the information, I'll go over your comments and test one by one.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Office

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.