how to get user account info

tim yang 21 Reputation points
2020-08-20T01:41:43.327+00:00

Hi ,

if i only have computer name or ip address in AD , how can i the username which i logon this computer .

thanks

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,851 questions
Accepted answer
  1. Daisy Zhou 18,701 Reputation points Microsoft Vendor
    2020-08-20T03:48:31.42+00:00

    Hello @tim yang ,

    Thank you for posting here.

    Based on the description "if i only have computer name or ip address in AD , how can i the username which i logon this computer", do you mean if i only have computer name or ip address in AD , how can i find the username which i logon this computer? If so, what logon type do you want to find?

    1. If we want to find logon type 2 (Interactive Local interactive login. The most common way to log in.), we can logon this computer with one account (domain user account or domain Administrator account, local account or local Administrator account), then check the user profile in C:\Users.

    For example:
    19021-pro1.png

    2. If we want to find different logon types, we can logon this computer with Administrator account, then check the Security log under
    Event Viewer\Windows Logs\Security.

    We can see many Event ID 4624 (including different kinds of logon type).

    For example:
    18946-pro2.png

    For event ID 4624, we can refer to the link below.

    4624(S): An account was successfully logged on.
    (I am sorry, I was denied to put the corresponding link, we can search the title I mentioned to see the link if needed.)

    For logon type, we can refer to the link below.

    Audit logon events
    (I am sorry, I was denied to put the corresponding link, we can search the title I mentioned to see the link if needed.)

    Hope the information is helpful. If anything is unclear, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Daisy Zhou 18,701 Reputation points Microsoft Vendor
    2020-08-24T07:46:15.24+00:00

    Hello @tim yang ,

    We can enable the Kerberos and NTLM authentication audit policy on DC and if the domain-joined computer is used by one domain user, there will be 4771 or 4776 on DCs (Event Viewer\Windows Logs\Security)

    GPO: Default Domain Controller Policy

    Legacy audit policy:

    Computer Configuration\Windows settings\security settings\local policies\audit policy
    Audit Account Logon Events – Failure (on DCs)
    Audit Account Management - Success and Failure (on DCs)

    Or use advanced audit policies (advanced audit policies will overwrite traditional audit policies by default):
    Computer Configuration\Windows settings\security settings\Advanced Audit Policy Configuration

    on DCs
    Account Logon:
    Audit Kerberos Authentication Service - Failure
    Audit Credential Validation – Failure

    Account Management:
    Audit User Account Management – Success and Failure

    We can run the following commands on the domain controller to force the refresh policy and check whether the related audit policy settings are enabled:

    gpupdate /force
    auditpol /get /category:*

    After that, we can monitor the event ID 4771 or 4776 on DCs and look for the if some one is logon this computer in 4771 or 4776.

    For example:
    19852-11111.png

    Hope the information is helpful. If anything is unclear, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    0 comments