RE: finding who has logged in on Win2k Pro

2003-07-23 Thread thalm
- From: Jaymz Ringler [mailto:[EMAIL PROTECTED] Sent: Tue 7/22/2003 11:09 PM To: Jose Guevarra; [EMAIL PROTECTED] Cc: Subject: Re: finding who has logged in on Win2k Pro If you're in a domain, I remember seeing a script or t

RE: finding who has logged in on Win2k Pro

2003-07-23 Thread CHRIS GRABENSTEIN
I'm not sure how reliable this is, but I generally check the modified date on ntuser.dat under each profile directory. This would only work with local profiles I believe and could be circumvented if the user is so motivated. Does anyone know of problems with this method assuming the user isn't ove

Re: finding who has logged in on Win2k Pro

2003-07-23 Thread Dana Epp
Because this is after the fact and you are tyring to do a forensic investigation post mortum... its a little to late to turn on the proper event logging to track user logins through EventLog (which you should have on anyways. Never did understand why the default wasn't ON by default) At this point

Re: finding who has logged in on Win2k Pro

2003-07-23 Thread Gerard Vignes
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/scriptcenter/default.asp From: "Jaymz Ringler" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] To: "Jose Guevarra" <[EMAIL PROTECTED]>,[EMAIL PROTECTED] Subject: Re: finding who has logged in on

RE: finding who has logged in on Win2k Pro

2003-07-22 Thread David Gillett
It can be logged, but it isn't by default. You need to enable auditing of login events in the security policy, and then you can see them in the Event Viewer. David Gillett > -Original Message- > From: Jose Guevarra [mailto:[EMAIL PROTECTED] > Sent: July 22, 2003 11:03 > To: [EMAIL PRO

Re: finding who has logged in on Win2k Pro

2003-07-22 Thread Brad Mills
Jose, > We have possibly had some type of incident at our work place. I'd like to > know if it is possible to check and see the "User Login" history on a Win2K > pro machine. Is this history log enabled by default? What are some other > ways? A starting point would be your Security logs, under

Re: finding who has logged in on Win2k Pro

2003-07-22 Thread Jaymz Ringler
If you're in a domain, I remember seeing a script or two on Microsoft's site or maybe a Win2k tech site, that will enumerate Active Directory and tell you exactly when and where they've logged into the domain. Unfortunately I don't remember where I found it. And also if it works on a Win2k

RE: finding who has logged in on Win2k Pro

2003-07-22 Thread McGill, Lachlan
Check the Security log in Event Viewer. By default this is the only area that will tell you who has logged in when. There are two points to remember here: 1. Account logon auditing must be enabled for success and failure. This should be enabled at the domain level if your machine is on a domain.