This tool may help.
https://learn.microsoft.com/en-us/sysinternals/downloads/psloggedon
--please don't forget to Accept as answer if the reply is helpful--
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hy!
There is a computer account in my AD, and I don't know which user log in to the computer and authenticate with his/her domain user account. How can I determine who authenticate with this computer into the AD? I couldn't find any information in Event Viewer...
This tool may help.
https://learn.microsoft.com/en-us/sysinternals/downloads/psloggedon
--please don't forget to Accept as answer if the reply is helpful--
Like most entries in the Active Directory the computer accounts have a globally unique identifier (GUID) that serves as the primary way their object is identified. The computer name is a property of the computer account object, and like you said it can be changed. But the name change doesn't change the GUID.
Domain member computers are also Kerberos principals in the AD, which means that domain controllers have an associated account password hash they can use to authenticate the computer when it comes online. This password is associated with the computer account object, so renaming it doesn't change this.
Renaming a computer could potentially cause some DNS problems, but the renamed computer still won't have the right password for the computer account it is trying to impersonate. So from an AD perspective it is clear the computer isn't who it says it is.
reference:https://security.stackexchange.com/questions/143206/how-does-windows-active-directory-verify-a-computers-identity
It is not suitable for me. It is only list who logged in. But I would like to list who logged in to the specified computer, when I know only the computer name.
Open audit on dc
4769 for kerberos in security audit
Change all to success and failure
Since you are not sure which dc client locates, you need to view all dcs, and then the security event will be very large, and there is a possibility of coverage
Hope this information can help you
Best wishes
Vicky