How to list which users have been authenticated to a specified DC ?

Tutorials Win: Microsoft Windows Forum

Hello,

I would like to know how can we list which users have been
authenticated to a specified DC please ?

Is there any command that will do that ?

I am not talking about an echo %logonserver% command as this is more
for a client point of view.
I would like to know that from the DC itself.

Thank you

--
Pascal
Top

Re: How to list which users have been authenticated to a specified DC ? by Richard

Richard
Fri May 09 05:24:13 PDT 2008

Pascal wrote:

> I would like to know how can we list which users have been authenticated
> to a specified DC please ?
>
> Is there any command that will do that ?
>
> I am not talking about an echo %logonserver% command as this is more for a
> client point of view.
> I would like to know that from the DC itself.
>
> Thank you

AD does not keep track of which DC authenticates the user. Some attributes
are not replicated, so a different value is saved on every DC. Unless the
user is locked out or tries an incorrect password, the only attributes
updated on the DC that is not replicated (that I can think of) are lastLogon
and logonCount. You could query the DC and find all users that have a value
greater than 0 for these attributes to determine which users have every
authenticated to that DC. Or, you could query all DC's in the domain to tell
which users last authenticated to the DC (the largest value for lastLogon or
logonCount is the value on the particular DC).

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--


Top

Re: How to list which users have been authenticated to a specified DC ? by Pascal

Pascal
Fri May 09 06:22:58 PDT 2008

Hi Richard,

thank you for your answer.

Is it possible to have the answer thanks to auditing on DCs on specific
events like 630 for example ?

This event will be generated only with the DC used for the
authentication, no ?

Thanks

> (that I can think of) are lastLogon and logonCount. You could query the DC
> and find all users that have a value greater

--
Pascal


Top

Re: How to list which users have been authenticated to a specified DC ? by Richard

Richard
Fri May 09 08:51:08 PDT 2008

I hadn't thought of that, but the event id for successful logon is 528, 538
for successful logoff. See this link:

http://technet2.microsoft.com/WindowsServer/en/library/e104c96f-e243-41c5-aaea-d046555a079d1033.mspx?mfr=true

However, per this link I'm not sure the DC is logged:

http://support.microsoft.com/kb/174074

Have you tried this?

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

"Pascal" <pascal_t@nospam.hotmail.com> wrote in message
news:mn.4b9a7d850633e609.70874@nospam.hotmail.com...
> Hi Richard,
>
> thank you for your answer.
>
> Is it possible to have the answer thanks to auditing on DCs on specific
> events like 630 for example ?
>
> This event will be generated only with the DC used for the authentication,
> no ?
>
> Thanks
>
>> (that I can think of) are lastLogon and logonCount. You could query the
>> DC and find all users that have a value greater
>
> --
> Pascal
>
>


Top

Re: How to list which users have been authenticated to a specified DC ? by Richard

Richard
Fri May 09 09:18:34 PDT 2008

I turned on auditing of logon events and I cannot tell which DC
authenticated the user. The logon and logoff events are logged on the client
computers, not on the DC.

Depending on your purpose, one solution might be a logon script that writes
%logonserver% to a log file.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

"Richard Mueller [MVP]" <rlmueller-nospam@ameritech.nospam.net> wrote in
message news:eWJ3AyesIHA.1240@TK2MSFTNGP02.phx.gbl...
>I hadn't thought of that, but the event id for successful logon is 528, 538
>for successful logoff. See this link:
>
> http://technet2.microsoft.com/WindowsServer/en/library/e104c96f-e243-41c5-aaea-d046555a079d1033.mspx?mfr=true
>
> However, per this link I'm not sure the DC is logged:
>
> http://support.microsoft.com/kb/174074
>
> Have you tried this?
>
> --
> Richard Mueller
> MVP Directory Services
> Hilltop Lab - http://www.rlmueller.net
> --
>
> "Pascal" <pascal_t@nospam.hotmail.com> wrote in message
> news:mn.4b9a7d850633e609.70874@nospam.hotmail.com...
>> Hi Richard,
>>
>> thank you for your answer.
>>
>> Is it possible to have the answer thanks to auditing on DCs on specific
>> events like 630 for example ?
>>
>> This event will be generated only with the DC used for the
>> authentication, no ?
>>
>> Thanks
>>
>>> (that I can think of) are lastLogon and logonCount. You could query the
>>> DC and find all users that have a value greater
>>
>> --
>> Pascal
>>
>>
>
>


Top