Query Active directory usres that do not log on using computer accounts


dear team,

we need find out users not authentating using computer accounts , active directory treats email authentication authenticating mechanism, tool gather requirement sccm not available currently

if computer joined domain, (the computer object) authenticates domain when starts (if computer has connectivity). when user logs on should authenticate domain (the user not authenticate or logon the local computer). however, active directory not keep track of computer used user. both computer object , user object have lastlogon attribute updated on dc authenticated them, , if old value more 14 days in past lastlogontimestamp attribute updated well.

a user can authenticate the local computer, whether joined domain or not. active directory not know about it. after this, if user authenticates domain email or access resource, assume lastlogon , lastlogontimestamp updated user. see no way tell user first authenticated local computer. there no way tell user never used domain joined computer.

the solution can think of might be a logon script logs date, user name, , local computer name. don't know if run if user authenticates email. also, information need logged in shared location user has permissions write. then, determine if computer name in log 1 joined to the domain.

 


richard mueller - mvp directory services


Windows Server  >  Directory Services



Comments

Popular posts from this blog

CRL Revocation always failed

Failed to query the results of bpa xpath

0x300000d errors in Microsoft Remote Desktop client