Powershell: Find AD Users’ Logon History with their Logged on Computers

One of the daily system admin task is to check the user login history throughout the domain. It becomes quite a tough task if you have to go through thousands of event logs to find the correct security events of users logon from every domain controllers. Though we filter only the Kerberos Authentication Events for TGT (Ticket-Granting-Ticket) Requests, there are so many information in each event regarding to specific users.
So, I am taking some time to put all these Kerberos events together from every domain controller to look for some useful information and then write this handy script to save my difficult days !

Note: This script contains cmdlets from DnsClient module which needs Server2012 or Server2012R2 to run the script. If you run the script on servers other than domain controller, you need Powershell with Active Directory Module installed. You can check if it is already installed it with the command:
Get-Module *active* -ListAvailable
In environment where Exchange Servers are installed, users requests for TGT also come from exchange servers(Workstation column in our result) occurs when they are authenticated via Outlook Web App.
If permissions error occur or cannot retrieve logs, you may need to “Run as Administrator” Powershell.
Some computers with IP addresses will be shown as “NOT FOUND” if the reverse DNS zone for these computers are not created in AD. For this, you may need to create PTR records for these computers.

List of last logged on AD users

Figure-1: List of last logged on users

 
List of all users logons from their respective computers

Figure-2: List of all users logons from their respective computers

 
Getting Help of powershell script

Figure-3: Getting Help

 

You can download my script from github.

This entry was posted in Active Directory, Powershell. Bookmark the permalink.

3 Responses to Powershell: Find AD Users’ Logon History with their Logged on Computers

  1. Anonymous says:

    Nice script! Is there a way to check only for a specified users?

  2. Unknown says:

    Is there a way to use archived security event files ? *.evtx ?

  3. emmav674 says:

    Hi! Got this error:

    PS C:UsersAdministratorDesktop> .Get_AD_Users_Logon_History.ps1 -MaxEvent 800 -LastLogonOnly
    No events were found that match the specified selection criteria.
    + CategoryInfo : ObjectNotFound: (:) [Get-WinEvent], Exception
    + FullyQualifiedErrorId : NoMatchingEventsFound,Microsoft.PowerShell.Commands.GetWinEventCommand
    + PSComputerName : localhost

    AD Misconfiguration?

Leave a Reply

Your email address will not be published. Required fields are marked *