![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 96%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,614 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 74%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERM%3C/text%3E%3C/svg%3E)
AD authentication is recorded in the event log of the domain controller that authenticated the user. You'd have to query each DC in the AD domain to get that information.
Which activities they undertook would also be recorded in the event log. But unless you're auditing activities you would find much detail.
Note that auditing greatly increases the number of events recorded in the security logs. In a large AD you can rapidly run out of space in the log. Something to keep in mind when you're formulating you audit policies.
While PowerShell can help, you'd probably find that a commercial software (or freeware/shareware) product can help you manage and report all the activity.