Finding domain account on network

jah8887jah8887 Posts: 45Member ■■■□□□□□□□
Hi all,
I am having an issue finding an AD account that maybe running on pcs and servers in our domain.  I am trying to find a script or suggestion to have something look for this account while doing it passively to avoid interruption.  I have used a powershell script but it seems to not be working as intended and or its not finding what I am looking for.  This account could be used under services and other things on the network.  Any help is appreciated!

Comments

  • PCTechLincPCTechLinc Senior Member King City, CAPosts: 566Member ■■■■□□□□□□
    If you have access to a DC and its Event Log, then you will be able to associate the AD account with the computer that is authenticating, reading through the Security Log in Event Viewer.  Keep in mind that if you have multiple DC's, it will not be 100% accurate, as that information is not stored in the ntds.dit file.

    I am in no way a scripting guru, but if you do a search for "query domain controller user computer" you will get many different options that have worked for other people.
    Master of Business Administration in Information Technology Management - Western Governors University
    Master of Science in Information Security and Assurance - Western Governors University
    Bachelor of Science in Network Administration - Western Governors University
    Associate of Applied Science x4 - Heald College
  • kaijukaiju Posts: 249Member ■■■■□□□□□□
    edited December 2018
    Work smarter NOT harder! Semper Gumby!
  • NetworkNewbNetworkNewb They are watching you Posts: 3,133Member ■■■■■■■■□□
    If you want to find where it is logged in to you could write a script that uses "quser /server:COMPUTERNAME"  and have it loop through all the computers on your network (I'd probably grab all the computer names from Active Directory) and look at the USERNAMEs it finds and notify when it finds the one you are looking for. 

    Not sure if that is helpful, but it is where I would start if I needed to find one on a random network.   I don't have a script like that written since I would just check the SIEM tool at my place. 
Sign In or Register to comment.