Re: wkstation interactive logon recorded on DC?

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 11/16/05

  • Next message: Miha Pihler [MVP]: "Re: Open Ports after Port Scanning"
    Date: Wed, 16 Nov 2005 10:39:30 -0600
    
    

    Enable auditing of account logon events in Domain Controller Security Policy
    and then you will see an account logon event when a user logs onto a domain
    computer. I would also suggest that you enable auditing of logon events
    [different from account logon events] in Domain Security Policy. Then a type
    2 logon event will also be generated in the security log of the domain
    computer they logon to via the console. You can use the free Event Comb from
    Microsoft to remotely search the security logs of domain computers and the
    text string search comes in handy because you can enter computer/user name,
    etc. --- Steve

    http://support.microsoft.com/default.aspx?scid=kb;en-us;308471 --- Event
    Comb.
    http://www.microsoft.com/technet/security/topics/auditingandmonitoring/securitymonitoring/default.mspx
     --- The Security Monitoring and Attack Detection Planning Guide

    <-> wrote in message news:uihHEgs6FHA.3660@TK2MSFTNGP09.phx.gbl...
    > How can I tell when users interactively log on to their desktops by
    > checking
    > the DC event logs?
    >
    >
    >


  • Next message: Miha Pihler [MVP]: "Re: Open Ports after Port Scanning"

    Relevant Pages

    • Re: windows 2000 server auditing objects...
      ... You can enable auditing of logon events to track when a "user" logs onto a computer ... user logs onto the domain by viewing the security log in Event Viewer. ... You can also enable auditing of object access on a computer and then audit access to ...
      (microsoft.public.win2000.security)
    • Re: weird security logs
      ... >>> I'm getting a lot of authentication logs in the security logs on an ... > my security log logs when both login types have either success or failure. ... > and failure on both account logon events and logon events. ... > disabling the audit success on both and audit just fail. ...
      (microsoft.public.win2000.security)
    • Re: weird security logs
      ... > the browser service on all your machines (just stop it, don't disable, no ... >> I'm getting a lot of authentication logs in the security logs on an ... my security log logs when both login types have either success or failure. ... and failure on both account logon events and logon events. ...
      (microsoft.public.win2000.security)
    • Re: Need logon and Logoff data for 30 days
      ... Auditing of account logon events alone will not show when a user logs off. ... You would need to enable auditing of logon events [or just use logon events ...
      (microsoft.public.security)
    • Re: wkstation interactive logon recorded on DC?
      ... Enable auditing of account logon events in Domain Controller Security Policy ... Microsoft to remotely search the security logs of domain computers and the ...
      (microsoft.public.platformsdk.security)