Active Directory and ADTimeline(2)
Note:I translated Japanese into English using Google Translate.
Thank you, Google.
Summary:
- I created an Alice account, added it to the Domain admins group, and confirmed it on the timeline.
- Next, I created a Bob account and logged on to the domain, but I could not confirm it in the timeline (Note:Since Bob does not have high privilege, it is not displayed in ADTimeline. You can display Bob in the timeline using $groupscustom definition.)
----------
[Note]Please be aware that the verification method not be sufficient.
Continuing from last week, I would like to check what can be investigated by using ADTimeline.
I have newly constructed an Active Directory environment with two DCs. (DC1, DC2 and PC1)
First, I created users Alice and Bob.
DC1: 2/11/2019 7:05:45 AM EID 4720 A user account was created.(Alice)
DC2: 2/11/2019 7:05:45 AM EID 4720 A user account was created.(Bob)
I checked the DC1 and DC2 timelines, I found a record related to Alice account, but I could not find record related to Bob account. Interesting.
Next, I added the Alice account to the Domain Admins group.
DC1: 2/11/2019 7:08:50 AM EID 4728 A member was added to a security-enabled global group.(Alice⇒Domain Admins)
In the timeline, there is a record related to the Domain Admins group and the "adminCount" of the Alice account.
ftimeLastOriginatingChange : 2019-02-11T07:08:50Z
Name : Domain Admins
pszAttributeName : member
ObjectClass : group
DN : CN=Domain Admins,CN=Users,DC=example,DC=local
ObjectCategory : CN=Group,CN=Schema,CN=Configuration,DC=example,DC=local
SamAccountName : Domain Admins
dwVersion : 1
WhenCreated : 2019-01-20 19:20:35Z
Member : CN=alice,CN=Users,DC=example,DC=local
ftimeCreated : 2019-02-11T07:08:50Z
ftimeDeleted : 1601-01-01T00:00:00Z
SID : S-1-5-21-1490397982-2793378994-64436834-512
pszLastOriginatingDsaDN : CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur
ation,DC=example,DC=local
uuidLastOriginatingDsaInvocationID : c9e22352-ca47-436a-aeb2-38228298896d
usnOriginatingChange : 36964
usnLocalChange : 36964
In Microsoft Blog, ftimeDeleted and ftimeCreated are described.
ftimeDeleted the time the member has been removed (equal 0 if the object is currently still a member).
ftimeCreated the time when the member has been added for the first time.
Next, log on to PC1 with Alice account.
DC2: 2/11/2019 10:57:19 AM EID 4624 An account was successfully logged on.(Alice)
On the timeline, there is a record related to the "lastLogonTimestamp" of the Alice account.
ftimeLastOriginatingChange : 2019-02-11T10:57:19Z
Name : alice
pszAttributeName : lastLogonTimestamp
ObjectClass : user
DN : CN=alice,CN=Users,DC=example,DC=local
ObjectCategory : CN=Person,CN=Schema,CN=Configuration,DC=example,DC=local
SamAccountName : alice
dwVersion : 1
WhenCreated : 2019-02-11 07:05:45Z
Member :
ftimeCreated :
ftimeDeleted :
SID : S-1-5-21-1490397982-2793378994-64436834-1104
pszLastOriginatingDsaDN : CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur
ation,DC=example,DC=local
uuidLastOriginatingDsaInvocationID : c9e22352-ca47-436a-aeb2-38228298896d
usnOriginatingChange : 37098
usnLocalChange : 37098
On DC1 and DC2, check the properties of the Alice account. (Get-ADUser -identity alice -property *)
Since lastLogon is not replicated, there are differences in values.
DC1
lastLogon : 131943562397419196
LastLogonDate : 2/11/2019 10:57:19 AM
lastLogonTimestamp : 131943562397419196
DC2
lastLogon : 131943562396367072
LastLogonDate : 2/11/2019 10:57:19 AM
lastLogonTimestamp : 131943562397419196
The values output to ADobjects.xml created by ADTimeline are as follows.
lastLogon : 131943562397419196
lastLogonTimestamp : 131943562397419196
Next, I will also check the Bob account.(Bob account does not have high privilege.)
The Bob account logs on to the domain. You can check Bob's logon with DC1
and DC2 security log.
DC1
DC2
However, I could not find a record related to Bob account. I searched Bob in ADobjects.xml, but it did not exist.
(ADD: I was testing it without understanding that ADTimeline was targeting high privilege. Bob does not have high privilege, so it is not displayed on the timeline.)
Just to be sure, I will check the properties of Bob with DC1 and DC2.
lastLogonTimestamp indicates the time Bob logged on. (2/11/2019 10:59:19 AM)
DC1
LastLogonDate : 2/11/2019 10:59:19 AM
lastLogonTimestamp : 131943563590742494
DC2
lastLogon : 131943563590742494
LastLogonDate : 2/11/2019 10:59:19 AM
lastLogonTimestamp : 131943563590742494
It is interesting that Bob's logon does not appear on the timeline.
The timeline and event log created this time can be downloaded from here.
<add>
I could display Bob in the timeline by defining the "Domain Users" group in "$groupscustom".
$groupscustom = "Domain Users"
(I have not read all of README.md. I was taught it by DM. Thank you! ;-)
</add>
PS
LastLogonTimeStamp seems to have delays of up to 14 days, not updates in real time.
I will continue testing.
Verification environment: Windows Server 2019 1809, Windows 10 1809, Time zone UTC
Reference URL: