List Active Users Logon to AD Domain Controller

Leave a Comment / By /

One of our client asked whether possible to list active users logon to AD Domain Controller, and please refer to the information below on how to archive it after some studying on this topic

We will use PowerShell to get the information from the following Security Event Log

4768: A Kerberos authentication ticket (TGT) was requested

At the beginning of the day when a user sits down at his or her workstation and enters his domain username and password, the workstation contacts a local DC and requests a TGT. If the username and password are correct and the user account passes status and restriction checks, the DC grants the TGT and logs event ID 4768 (authentication ticket granted).

If the ticket request fails Windows will either log this event, 4768 or 4771 with failure as the type.

Sample of Security Event Log (ID 4768)

A Kerberos authentication ticket (TGT) was requested.

Account Information:
    Account Name:       rds1
    Supplied Realm Name:    MYMDT.LOCAL
    User ID:            MYMDT\rds1

Service Information:
    Service Name:       krbtgt
    Service ID:     MYMDT\krbtgt

Network Information:
    Client Address:     ::ffff:192.168.1.236
    Client Port:        57646

Additional Information:
    Ticket Options:     0x40810010
    Result Code:        0x0
    Ticket Encryption Type: 0x12
    Pre-Authentication Type:    2

Certificate Information:
    Certificate Issuer Name:        
    Certificate Serial Number:  
    Certificate Thumbprint:     

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120

Please refer to the PowerShell below to get the information that we want

$EventInfo=Get-WinEvent -FilterHashTable @{LogName="Security";ID=4768} -MaxEvents 10000 | where {$_.Message -notmatch "SM" } | 
where { $_.Message -notmatch "\$" } | ? {$_.message -notmatch "Health"}| Select `
 @{N="Authenticated DC";Exp={$_.MachineName}}, 
 @{N="LoggedOn Time";Exp={$_.TimeCreated}}, 
 @{N="User"; Exp={ $Username=(($_.Message -Split "\n") -match "Account Name") -split ':';$Username[$Username.Length-1].Trim() }},
 @{N="IP Address"; Exp={if((($_.Message -split "\n") -match "Client Address:").Trim() -match "::1" ) {"localhost"}

else { $IPAddress=(($_.Message -Split "\n") -match "Client Address") -split ':'; $IPAddress[$IPAddress.Length-1].Trim() }
 }
}

$EventInfo

The output consists of the following
* User Logon Time
* Username with IP Address of their workstation
* The AD Domain Controller that user authenticated to

PS-ListADLogin-01

You can increase the size of the Security Event log (default limit is only 128MB) to view longer historical data as once the log is overrided, it will not display in the output of PowerShell
PS-ListADLogin-02

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top