|
If by period of time you mean "ever" then you have a "cute"
little trick you can use and it doesn't require that you ever had auditing
enabled...
adfind -h somedc -default -f
"&(samaccounttype=805306368)(logoncount>=1)" logoncount
-csv
I know some folks who track that attribute on all DCs for
all users to get a rough feel for where people are authenticating at. It is much
more lightweight than scanning logs.
If you need to know within a specific time frame this is a
little "heavier" and I just realized the new -binenc time encoding capability
makes it pretty easy in adfind to do...
adfind -h somedc -default -binenc -f
"&(samaccounttype=805306368)(lastlogon>={{local:2006/03/01}})(lastlogon<={{local:2006/05/01}})"
lastlogon -tdcs -csv
Man that adfind is useful shite. ;o)
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Tuesday, May 16, 2006 10:30 PM To: [email protected] Subject: [ActiveDir] How to Determine Who Has Authenticated Against DC Hello: Sorry
for what might be an obvious question: Is it possible to determine who has
authenticated against a particular DC over a period of time? (And if so how?) I
suspect that some machines in one site are authenticating against a DC in
another. Without checking each workstation, how can I see where they are
authenticating? Thanks. --
nme P.S.
Not sure if it is related, but the DC in question reports that it can’t provide
some time service to machines in the remote site. (Sorry, not looking at the
exact warning message right now.) -- |
