Determine who using a computer in AD

adam900331 366 Reputation points
2020-11-20T11:26:24.103+00:00

Hy!

There is a computer account in my AD, and I don't know which user log in to the computer and authenticate with his/her domain user account. How can I determine who authenticate with this computer into the AD? I couldn't find any information in Event Viewer...

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,521 questions
0 comments No comments
{count} vote

4 answers

Sort by: Most helpful
  1. Anonymous
    2020-11-20T12:48:13.763+00:00

    This tool may help.
    https://learn.microsoft.com/en-us/sysinternals/downloads/psloggedon

    --please don't forget to Accept as answer if the reply is helpful--

    0 comments No comments

  2. Vicky Wang 2,731 Reputation points
    2020-11-23T08:55:08.033+00:00

    Like most entries in the Active Directory the computer accounts have a globally unique identifier (GUID) that serves as the primary way their object is identified. The computer name is a property of the computer account object, and like you said it can be changed. But the name change doesn't change the GUID.

    Domain member computers are also Kerberos principals in the AD, which means that domain controllers have an associated account password hash they can use to authenticate the computer when it comes online. This password is associated with the computer account object, so renaming it doesn't change this.

    Renaming a computer could potentially cause some DNS problems, but the renamed computer still won't have the right password for the computer account it is trying to impersonate. So from an AD perspective it is clear the computer isn't who it says it is.

    reference:https://security.stackexchange.com/questions/143206/how-does-windows-active-directory-verify-a-computers-identity

    0 comments No comments

  3. adam900331 366 Reputation points
    2020-11-23T09:58:49.55+00:00

    It is not suitable for me. It is only list who logged in. But I would like to list who logged in to the specified computer, when I know only the computer name.

    0 comments No comments

  4. Vicky Wang 2,731 Reputation points
    2020-11-25T07:25:38.747+00:00

    Open audit on dc
    4769 for kerberos in security audit
    Change all to success and failure
    42584-microsoftteams-image.png

    Since you are not sure which dc client locates, you need to view all dcs, and then the security event will be very large, and there is a possibility of coverage
    42476-microsoftteams-image-1.png

    Hope this information can help you
    Best wishes
    Vicky

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.