PowerShell : NetLogon Monitoring

If you have ADDS, then you have a service called Netlogon, that will be one of the services that controls domain wide communications, this process, ironically, is named this because it handles all the network logins - this service will be on every single client workstation, including servers, however, this service is particularly useful on a domain controller.

I have posted about before for finding lockouts, assuming you have the DC's in NetLogon Debug mode, which you can do with this command:

Nltest /DBFlag:2080FFFF

Note : There is really no need not to have this set continually on your domain controllers, unless you wish to hamper your diagnostic capabilities 🀑

If you set Netlogon to verbose it will produce a netlog.log that can grow to a maximum of 20 MB then, once this file is full, it will then produce a netlogon.bak that can also grow to a maximum size of 20 MB - once both these files are full, it’s simply starts again with new log files.

Now when troubleshooting you need to search all the DC's for valid data and while you can use the command to see the last 100 entries:

Get-Content "\\cloverleaf\c$\Windows\debug\netlogon.log" -Tail 100

If you wish to get a little more specific you can use this, for a certain user for example:

Get-Content "\\cloverleaf\c$\Windows\debug\netlogon.log" -Tail 100 | findstr Bear\Bad.Bear

However, scripting can help here as well, so lets consider that Netlogon debug is enabled on all the ADDS servers, and you wish to search all the DC's for a certain user and return the results, well then you can use this just update the domain controller variables in bold:

# Prompt user for the partial UserID to search
$PartialUserID = Read-Host -Prompt 'Enter part of the UserID to search'

# List of servers in $DC variable
$DC = @('cloverleaf', 'honeybark', 'honeyhill'')  # Add your server names here
foreach ($server in $DC) {
    try {
        # Construct the UNC path for each server
        $filePath = "\\$server\c$\Windows\debug\netlogon.log"

        # Execute command on each server using PowerShell Remoting
        $result = Invoke-Command -ComputerName $server -ScriptBlock {
            param ($filePath, $PartialUserID)
            Get-Content $filePath -Tail 220 | Where-Object { $_ -match $PartialUserID }
        } -ArgumentList $filePath, $PartialUserID -ErrorAction Stop

       # Output results
        if ($result) {
            Write-Host "Results for partial UserID '$($PartialUserID)' on $($server):"
        } else {
            Write-Host "No matches found for partial UserID '$($PartialUserID)' on $($server)."
    } catch {
        Write-Host "Error occurred while querying $($server): $($_.Exception.Message)"

That will then prompt you for the user UserID which will be used as a partial match like this:

Note : You will need to run PowerShell with administrative privileges else you will get no results returned!

This will then either return that nothing was found:

However, if it find records they will appear from the file in the script as below:

Previous Post Next Post

Ω†Ω…ΩˆΨ°Ψ¬ Ψ§Ω„Ψ§ΨͺΨ΅Ψ§Ω„