Powershell: Find AD Users’ Logon History with their Logged on Computers

One of the daily system admin task is to check the user login history throughout the domain. It becomes quite a tough task if you have to go through thousands of event logs to find the correct security events of users logon from every domain controllers. Though we filter only the Kerberos Authentication Events for TGT (Ticket-Granting-Ticket) Requests, there are so many information in each event regarding to specific users.
So, I am taking some time to put all these Kerberos events together from every domain controller to look for some useful information and then write this handy script to save my difficult days !

Note: This script contains cmdlets from DnsClient module which needs Server2012 or Server2012R2 to run the script. If you run the script on servers other than domain controller, you need Powershell with Active Directory Module installed. You can check if it is already installed it with the command:
Get-Module *active* -ListAvailable
In environment where Exchange Servers are installed, users requests for TGT also come from exchange servers(Workstation column in our result) occurs when they are authenticated via Outlook Web App.
If permissions error occur or cannot retrieve logs, you may need to “Run as Administrator” Powershell.
Some computers with IP addresses will be shown as “NOT FOUND” if the reverse DNS zone for these computers are not created in AD. For this, you may need to create PTR records for these computers.

List of last logged on AD users
Figure-1: List of last logged on users
 
List of all users logons from their respective computers
Figure-2: List of all users logons from their respective computers
 
Getting Help of powershell script
Figure-3: Getting Help
 

You can download my script from github.

3 thoughts on “Powershell: Find AD Users’ Logon History with their Logged on Computers”

  1. Hi! Got this error:

    PS C:UsersAdministratorDesktop> .Get_AD_Users_Logon_History.ps1 -MaxEvent 800 -LastLogonOnly
    No events were found that match the specified selection criteria.
    + CategoryInfo : ObjectNotFound: (:) [Get-WinEvent], Exception
    + FullyQualifiedErrorId : NoMatchingEventsFound,Microsoft.PowerShell.Commands.GetWinEventCommand
    + PSComputerName : localhost

    AD Misconfiguration?

Leave a Reply

Your email address will not be published. Required fields are marked *