Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Search for enabled users and last login time
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Search for enabled users and last login time
Is there an easy way to search Splunk for an AD user account that is enabled and the time they last logged in with their account?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It depends on which version of windows you're using and how you search
528 is the EventCode for W2k3 and 4624 is the EventCode for W2k8 and Win7. These event codes will be logged on the local system - not the domain controller. So, you would need forwarders on all systems in order to search the security logs. If you had a mix of systems the search would look like this:
EventCode=528 OR EventCode=4624 | eval Account_Name=mvindex(Account_Name,1) | eval UserAccount=coalesce(Account_Name,User_Name) |search NOT UserAccount="*$" NOT UserAccount=anonymous NOT UserAccount=system| dedup UserAccount |table _time,UserAccount,Workstation_Name
If you were just going to monitor the domain controller, then you want to monitor event code 4776 for W2k8.
(EventCode=4776 Error_Code=0x0) | dedup Logon_Account |table _time,Logon_Account,Source_Workstation
The dedup command will tell Splunk to grab the first match it sees, and drop the others, so that should be the most recent event per user.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
EventCode 626 means "account enabled". If you are looking for account changes, then you should do that in a separate search.
EventCode=626 |table Caller_User_Name, Target_Account_Name
The caller is the person who changed the account, and the target is the account that was changed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just one last thing - I'm still seeing disabled accounts. Could you show me how to integrate EventCode=626 into this search please?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Perfect - thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I added _time to the output.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I exclude them. I'll update the answer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you lukejadamec!
Works nicely, but I see a lot of service accounts in there that I do not want to report on.
If I were to use:
EventCode=528 | eval Account_Name=mvindex(Account_Name,1) | eval UserAccount=coalesce(Account_Name,User_Name) | dedup UserAccount | table_time,UserAccount,Workstation_Name
How would I specify AD accounts in a specific OU?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
