RE: Tracking user logins
The problem I have seen is that the DC security logs do not show which workstation someone authenticated from. You should be able to find out when user x authenticated from the security logs (depending on your event log size as well as how fast logs are overwritten). You can use the filter view for the specific username IF said user actually logged onto and authenticated to your network. If someone decided to bring in a personal computer and just plugged in, well, that's a different story. How many computers at the remote site? Any chance of pulling a copy of their event logs and looking at them? Interactive logons are only logged on the machine that was logged on to, AFAIK. There are lots of options here, this is just a start. James Winzenz Infrastructure Engineer - Security Pulte Homes Information Services From: Joe Heaton [mailto:[EMAIL PROTECTED] Posted At: Friday, February 01, 2008 9:44 AM Posted To: NTSysadmin Conversation: Tracking user logins Subject: Tracking user logins I would like to be able to see when User X logged into the network. I'd also like to see on Date Y, who logged into the network, and at what time. Here's what I'm looking at: I get automated router bandwidth reports from our ISP on a monthly basis. At one of our remote sites, there is a huge inbound traffic spike on a couple of weekend days. We don't work on the weekend, so I'd like to try to figure out where these spikes came from. I've looked at the Security log on my DC, but that's about as helpful as, well I'm Shook could come up with a funny line there... anyway, does the Security log track the information I'm looking for, and if so, how can I actually get to it? Joe Heaton AISA Employment Training Panel 1100 J Street, 4th Floor Sacramento, CA 95814 (916) 327-5276 [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by email and delete the message and any file attachments from your computer. Thank you. ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
RE: Tracking user logins
From what I remember: You need to enable auditing of account logon events for the DC, which will generate audit entries for any user account authenticated against the domain controller you set it up on, and it should show what workstation (or IP) they are logging in from. For a catch-all, audit logon events, which pretty much logs ALL logon attempts local to the machine (not just local as in Local accounts, but everything, even machine accounts) account logon events only grabs interactive or network logons. It's all configured in the Computer ConfigurationSecurity SettingsLocal PoliciesAudit Policy portion of Group Policy I could be wrong though, wouldn't be the first time. cb From: Joe Heaton [mailto:[EMAIL PROTECTED] Sent: Friday, February 01, 2008 10:44 AM To: NT System Admin Issues Subject: Tracking user logins I would like to be able to see when User X logged into the network. I'd also like to see on Date Y, who logged into the network, and at what time. Here's what I'm looking at: I get automated router bandwidth reports from our ISP on a monthly basis. At one of our remote sites, there is a huge inbound traffic spike on a couple of weekend days. We don't work on the weekend, so I'd like to try to figure out where these spikes came from. I've looked at the Security log on my DC, but that's about as helpful as, well I'm Shook could come up with a funny line there... anyway, does the Security log track the information I'm looking for, and if so, how can I actually get to it? Joe Heaton AISA Employment Training Panel 1100 J Street, 4th Floor Sacramento, CA 95814 (916) 327-5276 [EMAIL PROTECTED] ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
Re: Tracking user logins
Hey Joe, Can you add a line to the logon script of the users? echo %DATE% %TIME% %USERNAME% \\server\logon$\%COMPUTERNAME%.log Then you can just audit the log files generated.. On Feb 1, 2008 8:43 AM, Joe Heaton [EMAIL PROTECTED] wrote: I would like to be able to see when User X logged into the network. I'd also like to see on Date Y, who logged into the network, and at what time. Here's what I'm looking at: I get automated router bandwidth reports from our ISP on a monthly basis. At one of our remote sites, there is a huge inbound traffic spike on a couple of weekend days. We don't work on the weekend, so I'd like to try to figure out where these spikes came from. I've looked at the Security log on my DC, but that's about as helpful as, well I'm Shook could come up with a funny line thereā¦ anyway, does the Security log track the information I'm looking for, and if so, how can I actually get to it? Joe Heaton AISA Employment Training Panel 1100 J Street, 4th Floor Sacramento, CA 95814 (916) 327-5276 [EMAIL PROTECTED] ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
RE: Tracking user logins
We do something similar using vbscript and create a log file. It also includes some other data we use/track for first level diagnosis. Just have to keep an eye on the file size or it will eventually start slow down user logons while it writes to file. _ From: Eric Woodford [mailto:[EMAIL PROTECTED] Sent: Friday, February 01, 2008 12:45 PM To: NT System Admin Issues Subject: Re: Tracking user logins Hey Joe, Can you add a line to the logon script of the users? echo %DATE% %TIME% %USERNAME% \\server\logon$\%COMPUTERNAME%.log Then you can just audit the log files generated.. On Feb 1, 2008 8:43 AM, Joe Heaton [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: I would like to be able to see when User X logged into the network. I'd also like to see on Date Y, who logged into the network, and at what time. Here's what I'm looking at: I get automated router bandwidth reports from our ISP on a monthly basis. At one of our remote sites, there is a huge inbound traffic spike on a couple of weekend days. We don't work on the weekend, so I'd like to try to figure out where these spikes came from. I've looked at the Security log on my DC, but that's about as helpful as, well I'm Shook could come up with a funny line there... anyway, does the Security log track the information I'm looking for, and if so, how can I actually get to it? Joe Heaton AISA Employment Training Panel 1100 J Street, 4th Floor Sacramento, CA 95814 (916) 327-5276 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
