meier, Guido
Sent: Saturday, March 04, 2006 4:32 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] "NTLM Authentication" Security Principal
both "NTLM Authentication" and "This Organization" are so called
well-known-security principals. They are added dynamica
both "NTLM Authentication" and "This Organization" are so called
well-known-security principals. They are added dynamically to the token of a
user when the users authenticate in their domain or accross a trust.
However, they're not groups that you can read any memberships from like you can
with
. Conrad
Sent: Friday, March 03, 2006 8:35
AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir]
"NTLM Authentication" Security Principal
In the NTDS performance object there are two counters: NTLM
Authentcations and Kerberos Authentications. They wouldn't be able to te
If you are auditing logon events you can query the domain controller
security logs for NTLM logon events.
You'll need to use eventcombmt or some other utility to query all DCs for
these events.
Win2000 DCs records successful NTLM logons in event 680 and failed logons in
event 681.
Win2003 DCs reco
In the NTDS performance object there are two counters: NTLM Authentcations and Kerberos Authentications. They wouldn't be able to tell you "who" is authencating using those methods, but they would be able to provide a better idea. Both counters are in number of requests per second.
Ryan
On 3/3
