Microsoft Active Directory stores user logon history data in event logs on domain controllers. Starting from Windows Server 2008 and up to Windows Server 2016, the event ID for a user logon event is 4624.
History Of Active Directory. Active Directory was introduced to the world in the mid-1990s by Microsoft as a replacement for Windows NT-style user authentication.Windows NT included a flat and non-extensible domain model which did not scale well for large corporations.
These events contain data about the user, time, computer and type of user logon. Using the PowerShell script provided above, you can get a user login history report without having to manually crawl through the event logs.But running a PowerShell script every time you need to get a user login history report can be a real pain. There’s an easier way to keep an eye on user logon and logoff events and strengthen the security of your Active Directory — Netwrix Auditor. In just a few clicks, you can have the report you need delivered automatically to your email on the schedule you specify.
Contents.SID Filtering and AD MigrationFor a newly set up trust between two domains or two forests, the SID Filtering is activated by default. The filter removes all foreign SIDs from the user’s Access Token while accessing a resource via a trust in a trusting domain.
An example for a foreign SID would be the SID-history of a migrated user-account. The SID-history of user accounts and groups enables access to resources in the trusting domain – in case the filtering is deactivated.During an Active Directory migration, the SID-history is used for migrated user accounts in the trusted domain (target) to gain access to resources in the trusting domain (source). With activated SID Filtering this is impossible.The picture shows how the SID-History (from the source domain) is deleted from the Token while accessing via the trust (with an activated SID filter). Access is not possible. Deactivate SID FilteringTo access resources in a trusting domain, the SID Filtering has to be deactivated.
I recommend using the tool “ NetDom” for deactivation. This you achieve on the “ outgoing trust” of the “ trusting Domain“.Deactivate SID Filter for Domain Trust.