2

We recently audited our IT equipment inventory and have come across a few laptops which are missing. They aren't on the network, and most haven't logged into our DC's in several months. We have asset tracking but unfortunately we in IT rarely get equipment brought back to us whenever people leave, so things wind up circulating (which is a battle in itself), meaning we don't really know who possessed the laptops last.

I was able to find out when and where the computers were last logged in to our DC (Server 2008r2), but now I'm trying to see if it's possible to find who last logged into these computers via AD or some other means. I've found a few PS scripts but they seem to all rely on the computers being on the network or having audit logs that stretch back several months, which we don't have. Another potential challenge is that if the last logged on user is a terminated employee then chances are good their AD account has been deleted by now.

Any suggestions would be greatly appreciated - thanks!

Kevin Jones
  • 23
  • 2
  • seems there is bpno chances to get such info after a time... Audit should be turn on before to track users activity. and in some companies I worked for was implemented a policy to move fired users account to special OU in AD, not to remove it... – Sergey Jul 30 '19 at 19:15
  • Do you maintain DC security logs going back far enough to even perform a search? If so, do your DC security logs contain EventID 4776, 4768, or 4769 events? If you answered yes to both those questions, then I think you're in luck. If these logs are not in a SIEM, then the next step is going to be painful and time consuming. But it can be done as long as you know what the old hostname was. – twconnell Aug 02 '19 at 12:12

1 Answers1

2

Without access to Success and/or Failure audit logs spanning back to the relative time that the device was last seen you will not have a way to retrieve the information you're seeking.

As an aside, Active Directory utilizes an extended deletion period termed a "tombstone". This is essentially where an object is held upon deletion for an amount of time equal to the Tombstone Lifetime ("TSL"), which is typically 180 days (Windows Server 2003 and newer). I'm adding this because of the common misconception that a deleted object is immediately gone.

You can view a tombstone'd object through PowerShell. An example to retrieve your object: Get-AdObject -Filter { sAMAccountName -like '*kevin' } -IncludeDeletedObjects. You can add ...| Restore-AdObject -Confirm:$FALSE to immediately restore the object. These commands make correlating information obtained from Audit Logs and/or an aggregation product, such as a SIEM, a little bit easier in the case a user object is not found or needs to be retrieved.

Figured it was worth sharing the information for posterity's sake.

Cale Vernon
  • 321
  • 1
  • 4