These days, I have been spending time to put all these Kerberos events together from every domain controller to look for a particular information we want and it's what makes me write this handy script for system admins. Hope this helps you be a good day !
Note: This script contains cmdlets from DnsClient module which needs Server2012 or Server2012R2 to run the script. If you run the script on servers other than domain controller, you need Powershell with Active Directory Module installed. You can check if it is already installed it with the command:
Get-Module *active* -ListAvailable
In environment where Exchange Servers are installed, users requests for TGT also come from exchange servers(Workstation column in our result) occurs when they are authenticated via Outlook Web App.
If permissions error occur or cannot retrieve logs, you may need to "Run as Administrator" Powershell.
Some computers with IP addresses will be shown as "NOT FOUND" if the reverse DNS zone for these computers are not created in AD. For this, you may need to create PTR records for these computers.
Disclaimer: This script, in unmodified version is provided as for educational purpose only. It is always best to test every script on testing environment first before you actually go on production systems. The example picture is the result on my test machines in my lab environment.
Figure-1: List of last logged on users
Figure-2: List of all users logons from their respective computers
Figure-3: Getting Help
Nice script! Is there a way to check only for a specified users?
ReplyDeleteIs there a way to use archived security event files ? *.evtx ?
ReplyDeleteHi! Got this error:
ReplyDeletePS C:\Users\Administrator\Desktop> .\Get_AD_Users_Logon_History.ps1 -MaxEvent 800 -LastLogonOnly
No events were found that match the specified selection criteria.
+ CategoryInfo : ObjectNotFound: (:) [Get-WinEvent], Exception
+ FullyQualifiedErrorId : NoMatchingEventsFound,Microsoft.PowerShell.Commands.GetWinEventCommand
+ PSComputerName : localhost
AD Misconfiguration?