urlscan.io logo urlscan.io
SecurityTrails logo

woshub.com Open in urlscan Pro
37.252.2.22  Public Scan

Back to summary
URL: http://woshub.com/check-user-logon-history-active-directory-domain-powershell/
Submission: On September 15 via manual from US — Scanned from DE

Form analysis 3 forms found in the DOM

GET http://woshub.com/

<form role="search" method="get" id="searchform" action="http://woshub.com/">
  <div>
    <input type="text" class="search-input" placeholder="Type and hit enter..." name="s" id="s">
  </div>
</form>

POST http://woshub.com/wp-comments-post.php

<form action="http://woshub.com/wp-comments-post.php" method="post" id="commentform" class="comment-form anti-spam-form-processed">
  <p class="comment-form-comment"><textarea id="comment" name="comment" cols="45" rows="8" placeholder="Your Comment" aria-required="true"></textarea></p>
  <p class="comment-form-author"><input id="author" name="author" type="text" value="" placeholder="Name*" size="30" aria-required="true"></p>
  <p class="comment-form-email"><input id="email" name="email" type="text" value="" placeholder="Email*" size="30" aria-required="true"></p>
  <p class="comment-form-url"><input id="url" name="url" type="text" value="" placeholder="Website" size="30"></p>
  <p class="comment-form-subscriptions"><label for="subscribe-reloaded"><input style="width:30px" type="checkbox" name="subscribe-reloaded" id="subscribe-reloaded" value="yes"> Notify me of followup comments via e-mail. You can also
      <a href="http://woshub.com/comment-subscriptions/?srp=8749&amp;srk=fb3f7734f22a37e01b9fd631061ca5c1&amp;sra=s&amp;srsrc=f">subscribe</a> without commenting.</label></p>
  <p class="form-submit"><input name="submit" type="submit" id="submit" class="submit" value="Post comment"> <input type="hidden" name="comment_post_ID" value="8749" id="comment_post_ID">
    <input type="hidden" name="comment_parent" id="comment_parent" value="0">
  </p>
  <p class="antispam-group antispam-group-q" style="clear: both; display: none;">
    <label>Current ye@r <span class="required">*</span></label>
    <input type="hidden" name="antspm-a" class="antispam-control antispam-control-a" value="2021">
    <input type="text" name="antspm-q" class="antispam-control antispam-control-q" value="4.4" autocomplete="off">
  </p>
  <p class="antispam-group antispam-group-e" style="display: none;">
    <label>Leave this field empty</label>
    <input type="text" name="antspm-e-email-url-website" class="antispam-control antispam-control-e" value="" autocomplete="off">
  </p>
  <input type="hidden" name="antspm-d" class="antispam-control antispam-control-d" value="2021">
</form>

POST https://feedburner.google.com/fb/a/mailverify

<form style="padding: 0 3px 6px; text-align: center;" action="https://feedburner.google.com/fb/a/mailverify" method="post" target="popupwindow"><input id="subbox" class="subscr_text" style="margin: 6px 0;" name="email" type="text"
    placeholder="Your email address:"> <input name="uri" type="hidden" value="WindowsOSHub"> <input name="loc" type="hidden" value="en_US">
  <input class="sbutton" type="submit" value="Subscribe">
</form>

Text Content

 * Windows Server
   * Windows Server 2016
   * Windows Server 2012 R2
   * Windows Server 2012
   * Windows Server 2008 R2
   * SCCM
 * Active Directory
   * Group Policies
 * Windows Clients
   * Windows 10
   * Windows 8
   * Windows 7
   * MS Office
   * Outlook
 * Virtualization
   * VMWare
   * Hyper-V
 * PowerShell
 * Exchange

 * Home
 * About



 * Windows Server
   * Windows Server 2016
   * Windows Server 2012 R2
   * Windows Server 2012
   * Windows Server 2008 R2
   * SCCM
 * Active Directory
   * Group Policies
 * Windows Clients
   * Windows 10
   * Windows 8
   * Windows 7
   * MS Office
   * Outlook
 * Virtualization
   * VMWare
   * Hyper-V
 * PowerShell
 * Exchange



 Windows OS Hub / Active Directory / Checking User Logon History in Active
Directory Domain with PowerShell

January 22, 2021 Active DirectoryGroup PoliciesPowerShell


CHECKING USER LOGON HISTORY IN ACTIVE DIRECTORY DOMAIN WITH POWERSHELL



There are several different tools to get information about the time of a user
logon to an Active Directory domain. The time of the last successful user
authentication in an AD domain may be obtained from the user lastLogon attribute
it is only updated on the domain controller on which the user is authenticated)
or lastLogonTimpestamp attribute (it is replicated between the DCs in a domain,
but only in 14 days by default). You can check the value of the user attribute
using the AD attribute editor or with the Get-ADUser PowerShell cmdlet. However,
sometimes you may want to view the history of user activity (logons) in a domain
for a long period of time.







You can get information about successful user logon (authentication) events from
the domain controller logs. In this article we will show how to track user logon
history in the domain using PowerShell. This way you can get a complete history
of user activity in the domain, the time when a user starts working and logon
computers.



Contents:
 * Active Directory User Logon Audit Policy
 * Getting User Last Logon History with PowerShell
 * Get Domain User Logon History Based on Kerberos Events




ACTIVE DIRECTORY USER LOGON AUDIT POLICY

In order the information about successful/failed logon to be collected in the
domain controller logs, enable the audit policy of user logon events.

 1. Open the domain GPO management console (GPMC.msc);
 2. Open the Default Domain Policy GPO settings and go to Computer Configuration
    -> Policies -> Windows Settings -> Security Settings –> Advanced Audit
    Policy Configuration -> Audit Policies -> Logon/Logoff;
    
 3. Enable two audit policies (Audit Logon and Audit Other Logon/Logoff Events).
    Select Success and Failure options in the audit policy settings to register
    both successful and failed logons in the Security log on the DCs and
    computers;
    
 4. Save the changes in GPO and update the policy settings on your domain
    controllers using the following command: gpupdate /force (or wait for 90
    minutes, DC replication time is not taken into account).

When a user logons to any computer in Active Directory domain, an event with the
Event ID 4624 (An account was successfully logged on) appears in the log of the
domain controller that has authenticated the user (Logon Server). A successfully
authenticated account (Account name), a computer name (Workstation name) or an
IP address (Source Network Address) of a computer used to logon are shown in the
event description.

Also, you need to check the value of the Logon Type field. We are interested in
the following codes:





 * Logon Type 10 – Remote Interactive logon – a logon using RDP, shadow
   connection or Remote Assistance (this event may appear on a domain controller
   if an administrator or non-admin user having RDP access permission on DC logs
   on). This event is used to monitor and analyze the activity of Remote Desktop
   Services users.
 * Logon Type 3 –  Network logon (used when a user is authenticated on a DC and
   connects to a shared folder, printer or IIS service)



Also you can track a Kerberos ticket issue event when authenticating a user. The
Event ID 4768 is A Kerberos authentication ticket (TGT) was requested. To do it,
enable the event audit in the policy Account Logon –> Audit Kerberos
Authentication Service -> Success and Failure.



The event 4768 also contains a name (IP address) of a computer and a user
account (Account Name or User ID) that received a Kerberos ticket (has been
authenticated).




GETTING USER LAST LOGON HISTORY WITH POWERSHELL

You can use the Get-Eventlog PowerShell cmdlet to get all events from the domain
controller’s event logs, filter them by the EventID you want, and display
information about the time when a user authenticated in the domain and a
computer used to logon. Since there may be multiple domain controllers in your
domain and you may want to get a user logon history from each of them, use the
Get-ADDomainController cmdlet (from the AD module for Windows PowerShell). The
cmdlet allows to get the list of all DCs in your domain.

The following PowerShell script allows you to get all logon events for a user to
an AD domain from all domain controllers. As a result, you will get a table with
the user logon history and computers a user authenticated from.





# a username, whose logon history you want to view
$checkuser='*jbrown*'
# getting information about the user logon history for the last 2 days (you can
change this value)
$startDate = (get-date).AddDays(-2)
$DCs = Get-ADDomainController -Filter *
foreach ($DC in $DCs){
$logonevents = Get-Eventlog -LogName Security -InstanceID 4624 -after $startDate
-ComputerName $dc.HostName
foreach ($event in $logonevents){
if (($event.ReplacementStrings[5] -notlike '*$') -and
($event.ReplacementStrings[5] -like $checkuser)) {
# Remote (Logon Type 10)
if ($event.ReplacementStrings[8] -eq 10){
write-host "Type 10: Remote Logon`tDate: "$event.TimeGenerated "`tStatus:
Success`tUser: "$event.ReplacementStrings[5] "`tWorkstation:
"$event.ReplacementStrings[11] "`tIP Address: "$event.ReplacementStrings[18]
"`tDC Name: " $dc.Name
}
# Network(Logon Type 3)
if ($event.ReplacementStrings[8] -eq 3){
write-host "Type 3: Network Logon`tDate: "$event.TimeGenerated "`tStatus:
Success`tUser: "$event.ReplacementStrings[5] "`tWorkstation:
"$event.ReplacementStrings[11] "`tIP Address: "$event.ReplacementStrings[18]
"`tDC Name: " $dc.Name
}
}
}
}




GET DOMAIN USER LOGON HISTORY BASED ON KERBEROS EVENTS

You can also get a user authentication history in the domain based on the event
of a Kerberos ticket issue (TGT Request — EventID 4768). In this case, less
events will be displayed in the output (network logons are excluded, as well as
access events to the DC folders during getting GPO files or running logon
scripts). The following PowerShell script will display the information about all
user logons for the last 24 hours:

$alluserhistory = @()
$startDate = (get-date).AddDays(-1)
$DCs = Get-ADDomainController -Filter *
foreach ($DC in $DCs){
$logonevents = Get-Eventlog -LogName Security -InstanceID 4768 -after $startDate
-ComputerName $dc.HostName
foreach ($event in $logonevents){
if ($event.ReplacementStrings[0] -notlike '*$') {
$userhistory = New-Object PSObject -Property @{
UserName = $event.ReplacementStrings[0]
IPAddress = $event.ReplacementStrings[9]
Date = $event.TimeGenerated
DC = $dc.Name
}
$alluserhistory += $userhistory
}
}
}
$alluserhistory



Note that in this case you won’t see any logon events of the users authenticated
from clients or apps that use NTLM instead of Kerberos.





1 comment
1
Facebook Twitter Google + Pinterest
previous post

HOW TO DISABLE/REMOVE THUMBS.DB FILE ON NETWORK FOLDERS IN WINDOWS?

next post

PREPARING WINDOWS FOR ADOBE FLASH END OF LIFE ON DECEMBER 31, 2020

RELATED READING


WRITING OUTPUT TO LOG FILES IN POWERSHELL SCRIPT

September 8, 2021


HOW TO HIDE USERS AND GROUPS FROM THE...

September 7, 2021


HOW TO BACKUP (EXPORT) AND RESTORE DEVICE DRIVERS...

September 3, 2021


INSTALLING RSAT ADMINISTRATION TOOLS ON WINDOWS 10 AND...

September 14, 2021


INSTALLING FONTS IN WINDOWS USING GPO AND POWERSHELL

September 10, 2021


WRITING OUTPUT TO LOG FILES IN POWERSHELL SCRIPT

September 8, 2021


HOW TO HIDE USERS AND GROUPS FROM THE...

September 7, 2021


HOW TO BACKUP (EXPORT) AND RESTORE DEVICE DRIVERS...

September 3, 2021


INSTALLING RSAT ADMINISTRATION TOOLS ON WINDOWS 10 AND...

September 14, 2021


INSTALLING FONTS IN WINDOWS USING GPO AND POWERSHELL

September 10, 2021


WRITING OUTPUT TO LOG FILES IN POWERSHELL SCRIPT

September 8, 2021



1 COMMENT

Ivan April 26, 2021 - 3:07 pm

Second script does not display anything

Reply



LEAVE A COMMENT CANCEL REPLY

Notify me of followup comments via e-mail. You can also subscribe without
commenting.



Current ye@r *

Leave this field empty

CATEGORIES

 * Active Directory
 * Group Policies
 * Exchange
 * Windows 10
 * Windows 8
 * Windows 7
 * Windows Server 2016
 * Windows Server 2012 R2
 * Windows Server 2008 R2
 * PowerShell
 * VMWare
 * MS Office



RECENT POSTS

 * HOW TO INSTALL VMWARE ESXI IN A HYPER-V VIRTUAL MACHINE?
   
   September 15, 2021

 * THE COMPUTER RESTARTED UNEXPECTEDLY OR ENCOUNTERED AN UNEXPECTED LOOP ERROR
   ON WINDOWS 10/11
   
   September 14, 2021

 * INSTALLING RSAT ADMINISTRATION TOOLS ON WINDOWS 10 AND 11
   
   September 14, 2021

 * INSTALLING FONTS IN WINDOWS USING GPO AND POWERSHELL
   
   September 10, 2021

 * ENABLE GROUP POLICY EDITOR (GPEDIT.MSC) ON WINDOWS 10/11 HOME EDITION
   
   September 9, 2021

 * WRITING OUTPUT TO LOG FILES IN POWERSHELL SCRIPT
   
   September 8, 2021

 * HOW TO HIDE USERS AND GROUPS FROM THE GLOBAL ADDRESS LIST ON EXCHANGE/OFFICE
   365?
   
   September 7, 2021

 * STARTING SQL SERVER WITHOUT TEMPDB DATABASE
   
   September 7, 2021

 * HOW TO BACKUP (EXPORT) AND RESTORE DEVICE DRIVERS ON WINDOWS 10?
   
   September 3, 2021

 * AUTOMATICALLY ADD STATIC ROUTES AFTER CONNECTING TO VPN
   
   September 2, 2021

FOLLOW US



> woshub.com


 * Facebook
 * Twitter
 * RSS

Popular Posts
 * Allow RDP Access to Domain Controller for Non-admin Users
 * How to Find the Source of Account Lockouts in Active Directory domain?
 * Configuring Proxy Settings on Windows Using Group Policy Preferences
 * How to Refresh AD Groups Membership without Reboot/Logoff?
 * Managing User Photos in Active Directory Using ThumbnailPhoto Attribute
 * Windows: Block Remote Network Access for Local User Accounts
 * Auditing Weak Passwords in Active Directory

@2014 - 2018 - Windows OS Hub. All about operating systems for sysadmins


Back To Top