Get All AD Users Logon History

0
votes

I need to get a list of all AD users logon history (not only the last logged on) between two dates (start and end).

I know there are AD management tools like AD Info and AD Tidy but this kind of tools only retrieve the last logged on for each user and I need the logon history for each of them.

Also, I have found a PowerShell script here. This script does what I want: get the complete logon history but it is based on windows event log by inspecting the Kerberos TGT Request Events(EventID 4768) in event viewer from domain controllers. The problem is that event log has a maximum size and once it is reached old logs are deleted automatically.

Now I need to extract logon history for each AD user between two dates and I see most of them have already been deleted automatically in windows event log so this script is not retrieving them....

So is there any free tool to extract complete logon history for each AD User directly from AD? or Do you know a powershell script that can do that but requesting data directly from AD instead of windows event log?

1
powershellactive-directorykerberosevent-log
Active Directory doesn't keep a log of each logon for a user. This is why logs are stored in the audit log. - Steve
@Steve I didn't know that. A lot of thanks for the clarification. And Do you know if I can recover deleted entries in windows event log? If not, then I understand in my case there is no possibility to get the logon history... - Ralph

1 Answers

1
votes

Active Directory only stores the last logon date.

As for history, the Domain Controller will log a logon event into the event log. When you have multiple Domain Controllers, whichever Domain Controller you authenticated with, will contain that logon entry. That is why the mentioned tools have their place, because they will scan all Domain Controllers for the logon entries instead of you having to manually scan event logs from every Domain Controller.

Event Logs on the Domain Controllers are a finite size, and on some busy domains, the log will wrap and sometimes may only contain a single day's worth of entries. One of the things to understand is that Event Logs are meant only for logging information not auditing information.

If you want to audit logon information, then you should look at a SIEM (Security Information and Event Management) tool. These tools are made for auditing events. They will consume all the domain controllers event logs and store them. They not only provide auditing, (i.e. logon history), but they usually come with a certain set of intelligence capability to alert you of things like suspicious activity or unusual logins.

As for free SIEM tools... well things are hit and miss. Usually "free" in this area means hard and complicated to set up. The current top "free" open source tool is AlienVault OSSIM. I have heard good things from most paid SIEM tools which are dramatically easier to set up, and usually worth the cost. One popular paid tool is SolarWinds. It will give you all the auditing and compliance things you need. You will likely have to do some scouring to find what meets your auditing and compliance needs.