How to write a PowerShell script to check if PCs and/or Users are authenticating to the correct domain controller RRS feed

  • General discussion

  • I am tasked with writing a PowerShell script to determine which PCs and or Users are authenticating to the correct domain controller across our entire enterprise and to export the data into a report. I do not have any experience writing scripts and do not know where to begin. I have taken the initiative to secure some reading material but this journey is going to be a long one.

    I would appreciate any assistance from any of you IT pros. 



    • Changed type Bill_Stewart Wednesday, September 13, 2017 9:05 PM
    • Moved by Bill_Stewart Wednesday, September 13, 2017 9:06 PM This is not directory services forum
    Friday, July 21, 2017 1:49 PM

All replies

  • Active Directory does not track which DC was used to authenticate users or computers. So a simple query of AD is not possible for this.

    One option might be to enable auditing of logon events and run a script to parse the logs. Another is to use Group Policy to configure Startup (for computers) and Logon (for users) scripts that log the required information to a shared log file. Then a script could parse this log file to create a report.

    I used a similar approach years ago to track sessions (logon and logoff events and total time logged on), where a session was defined as a user logged into a particular computer. The scripts I used are linked on this page, including the logon, logoff, startup, and shutdown scripts, and the scripts to parse the resulting log files for sessions. Just to give you ideas:


    Edit: The scripts I linked are VBScript and do more than you need, in particular retrieving the IP address. The logon and startup scripts also make 3 attempts to append to the log files (with a pause between), in case more than one user logs on at the same instant. This is only necessary if very many users will logon at once (and rarely even then).

    The logon script for your purpose could be as simple as the following batch file:

    @echo off
    echo %date% %time%,%UserName%,%ComputerName%,%LogonServer% >> \\MyServer\MyShare\LogUsers.log

    This creates a comma delimited file, which can be read into a spreadsheet for analysis. Or you could code a script to parse the file. Since everything you need is available in the environment, this works fine for users. Computers authenticate at startup, so I need to experiment if a similar batch file will work for computers (without %UserName%)

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Friday, July 21, 2017 2:06 PM
  • To add to Richards excellent comments.  AD login DCs are chosen dynamically. This is usually the closest DC to the workstation but network conditions and DC load can cause a different DC to be used.  Each request to AD can select a new C for the request although once logged in there is generally no need to contact a DC.

    If you are having login performance issues you should just check the performance stats for all DCs to see why they may be slow. All DC diags should be run to determine if the AD network is running correctly.


    Friday, July 21, 2017 2:56 PM
  • Good thing I tested. A startup script can log the %ComputerName% environment variable, but %LogonServer% is not available. In my tests. %LogonServer% is blank. I suspected this might be the case. I don't know how to retrieve the DC used during startup.

    The DC that authenticates the computer might not be the same as the one that authenticates the user. In fact, if there is a delay before the user logs on, the DC that authenticated the computer could even be no longer available.

    But the process jrv describes for selecting the DC is the same for computers and users. I suspect checking which DC authenticates users would answer questions anyone has.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Friday, July 21, 2017 4:01 PM
  • Thanks Richard and JRV. Next week I will try your suggestions.



    Friday, July 21, 2017 5:17 PM
  • My question is, "what does 'correct domain controller' mean?"

    Any domain controller can authenticate a user. As jrv pointed out, the domain controller that authenticates the user should be pretty efficient, if the AD sites are set up correctly and the domain controllers aren't overloaded.

    But this is a directory services design and deployment issue, not a scripting issue.

    -- Bill Stewart [Bill_Stewart]

    Friday, July 21, 2017 5:58 PM
  • Bill brings up an important issue.  Many installation I have seen have failed to define sites and subnets.  Sites and subnets help AD work more efficiently.  The hosts will ask for service at the subnet level and never try to poll an AD that is off-subnet unless no DCs are on the subnet.  Sites provide a geographical hint that tells AD that different sites are possible at some distance logically.

    S&S also allows nodes to select the closest resources like printers and message queues.  No need to fiddle with IP network calculations.  Just retrieve the site and location then scan for the resource by location.

    Be sure your subnets and sites are defined and defined correctly.


    Friday, July 21, 2017 6:12 PM
  • Bill,

    The correct domain controller is the one for each of our branch locations. So the task I was given was to determine if PCs and users were authenticating to the domain controller for their respective location rather than authenticating to a domain controller from a different branch location. Hope this clarifies your question. My job is Desktop Support Level II and scripting is new to me. 



    Monday, July 24, 2017 3:16 PM
  • The correct domain controller is the one for each of our branch locations.

    The question is whether the idea in your mind of a "correct" domain controller matches how your domain's Active Directory sites and services is actually configured. That is an AD architecture/design question and is not within the scope of this forum.

    -- Bill Stewart [Bill_Stewart]

    Monday, July 24, 2017 4:03 PM
  • All the the answers make sense to me. I think the IT Manager was asking for which domain controllers the PCs/users were authenticating to rather than the "correct" domain controllers. At least now I have a framework on where to begin.



    Monday, July 24, 2017 4:51 PM