In environments with SIEM or other Log Management system, and especially where enhanced auditing and diagnostic logging is enabled, the logs on the DCs will not have a long login history on the individual DCs.
In some cases, the DC's Security Log only contains data from the last few hours.
In these cases PowerPUG is in risk of giving you a false sense of "No NTLM logons on this account".
Suggestion: How about checking, what's the oldest entry in the log and letting the user know, how long a period the result is based on?
This way, users can see, if the log only contains a few days or even hours of data.
If so, they cannot trust the result, if PowerPUG finds no NTLM logons, and they will need to look in their SIEM or Log Management solution to find the answers.
In environments with SIEM or other Log Management system, and especially where enhanced auditing and diagnostic logging is enabled, the logs on the DCs will not have a long login history on the individual DCs.
In some cases, the DC's Security Log only contains data from the last few hours.
In these cases PowerPUG is in risk of giving you a false sense of "No NTLM logons on this account".
Suggestion: How about checking, what's the oldest entry in the log and letting the user know, how long a period the result is based on?
This way, users can see, if the log only contains a few days or even hours of data.
If so, they cannot trust the result, if PowerPUG finds no NTLM logons, and they will need to look in their SIEM or Log Management solution to find the answers.