Determine which AD users are logged onto which Domain Controller

Are there any utilities or methods within Server 2016 that will list which Active Directory users are logged into which domain controller?
IT GuyNetwork EngineerAsked:
Who is Participating?
 
Naveen SharmaCommented:
Psloggedon might help achieve what you are looking for. Also you can check active directory auditing solution to track user logon and logoff.

How to Monitor User Logons in Active Directory Domain:
https://www.lepide.com/how-to/monitor-user-logons-in-domain.html
0
 
Cliff GaliherCommented:
Event logs will tell you which domain controller issued a kerberos ticket. But users don't "log into" a domain controller. That term is a throwback to old Unix days where a persistent presence existed. Which just isn't how windows handles authentication.
1
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
On the workstation you can type SET L in a command prompt - the "logonserver" is the server that authenticated them.

You could create a csv text file by adding to their login script a command like this:

echo %username%,%computername%,%logonserver%,%date%,%time% >> \\server\share\DailyLogins%date:~-4%%date:~4,2%%date:~7,2%.txt

Open in new window

(Note the above assumes standard US based date/time formats; %date% variables that produce an output other than DAY MM/DD/YYYY format will result in a different, possibly nonsense, possibly not working file name).

Then you could just open the file and review who logged in where when and was authenticated by which DC.
0
 
arnoldCommented:
Technically speaking, As Cliff pointed out as well, only domain admins can login to DC's unless policy changes to the default domain controller policy is made. The DC's receive requests to authorize/authenticate a user to access a resource.
either the system on direct logon, shares and files in a share if ... etc.

Are you talking on pulling this information retrospectively or prospectively?

Best way is setup a use GPO user configuration, security settings, login script that will use the example Lee provided as the batch script.

the %logonserver% is the server to whom and from whom a response confirming the person had rights to login came in.

https://www.microsoft.com/en-us/download/details.aspx?id=15201
In the absence of that, use an account lockout tool's eventcombmt.exe tool to pull the security event log for login events from your DCs////


the other option if you can have an smptrapd sever (linux) as the destination and then add SNMP functionality to your systems and using eventwin setup the security event to trap which can then be imported on each system using eventcmd as part of a computer GPO startup script....
0
 
Shaun VermaakTechnical Specialist/DeveloperCommented:
I would use nltest /dsgetdc instead of %LogonServer%

%LogonServer% is not updated dynamically as connection changes

You can also add this information to the computer description similarly to the first section of this article
https://www.experts-exchange.com/articles/30891/Automated-object-placement-using-AutoAD.html
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.