Determine which AD users are logged onto which Domain Controller

Are there any utilities or methods within Server 2016 that will list which Active Directory users are logged into which domain controller?
IT GuyNetwork EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
Event logs will tell you which domain controller issued a kerberos ticket. But users don't "log into" a domain controller. That term is a throwback to old Unix days where a persistent presence existed. Which just isn't how windows handles authentication.
Lee W, MVPTechnology and Business Process AdvisorCommented:
On the workstation you can type SET L in a command prompt - the "logonserver" is the server that authenticated them.

You could create a csv text file by adding to their login script a command like this:

echo %username%,%computername%,%logonserver%,%date%,%time% >> \\server\share\DailyLogins%date:~-4%%date:~4,2%%date:~7,2%.txt

Open in new window

(Note the above assumes standard US based date/time formats; %date% variables that produce an output other than DAY MM/DD/YYYY format will result in a different, possibly nonsense, possibly not working file name).

Then you could just open the file and review who logged in where when and was authenticated by which DC.
Technically speaking, As Cliff pointed out as well, only domain admins can login to DC's unless policy changes to the default domain controller policy is made. The DC's receive requests to authorize/authenticate a user to access a resource.
either the system on direct logon, shares and files in a share if ... etc.

Are you talking on pulling this information retrospectively or prospectively?

Best way is setup a use GPO user configuration, security settings, login script that will use the example Lee provided as the batch script.

the %logonserver% is the server to whom and from whom a response confirming the person had rights to login came in.
In the absence of that, use an account lockout tool's eventcombmt.exe tool to pull the security event log for login events from your DCs////

the other option if you can have an smptrapd sever (linux) as the destination and then add SNMP functionality to your systems and using eventwin setup the security event to trap which can then be imported on each system using eventcmd as part of a computer GPO startup script....
Naveen SharmaCommented:
Psloggedon might help achieve what you are looking for. Also you can check active directory auditing solution to track user logon and logoff.

How to Monitor User Logons in Active Directory Domain:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Shaun VermaakTechnical SpecialistCommented:
I would use nltest /dsgetdc instead of %LogonServer%

%LogonServer% is not updated dynamically as connection changes

You can also add this information to the computer description similarly to the first section of this article
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2016

From novice to tech pro — start learning today.