-
From: Jaymz Ringler [mailto:[EMAIL PROTECTED]
Sent: Tue 7/22/2003 11:09 PM
To: Jose Guevarra; [EMAIL PROTECTED]
Cc:
Subject: Re: finding who has logged in on Win2k Pro
If you're in a domain, I remember seeing a script or t
I'm not sure how reliable this is, but I generally check the modified date on
ntuser.dat under each profile directory. This would only work with local
profiles I believe and could be circumvented if the user is so motivated.
Does anyone know of problems with this method assuming the user isn't ove
Because this is after the fact and you are tyring to do a forensic
investigation post mortum... its a little to late to turn on the proper
event logging to track user logins through EventLog (which you should have
on anyways. Never did understand why the default wasn't ON by default)
At this point
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/scriptcenter/default.asp
From: "Jaymz Ringler" <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
To: "Jose Guevarra"
<[EMAIL PROTECTED]>,[EMAIL PROTECTED]
Subject: Re: finding who has logged in on
It can be logged, but it isn't by default. You need
to enable auditing of login events in the security
policy, and then you can see them in the Event Viewer.
David Gillett
> -Original Message-
> From: Jose Guevarra [mailto:[EMAIL PROTECTED]
> Sent: July 22, 2003 11:03
> To: [EMAIL PRO
Jose,
> We have possibly had some type of incident at our work place. I'd like to
> know if it is possible to check and see the "User Login" history on a Win2K
> pro machine. Is this history log enabled by default? What are some other
> ways?
A starting point would be your Security logs, under
If you're in a domain, I remember seeing a script or two on
Microsoft's site or maybe a Win2k tech site, that will enumerate
Active Directory and tell you exactly when and where they've logged
into the domain.
Unfortunately I don't remember where I found it. And also if it works
on a Win2k
Check the Security log in Event Viewer. By default this is the only area that will
tell you who has logged in when. There are two points to remember here:
1. Account logon auditing must be enabled for success and failure. This should be
enabled at the domain level if your machine is on a domain.