Re: How to find out what computer a user logged in on.

From: andy smart (anonymus_at_discussions.microsoft.com)
Date: 04/25/05 

Date: Mon, 25 Apr 2005 14:54:10 +0100

Steven L Umbach wrote:
> For a domain your best bet is to enable auditing of logon events in Domain
> Controller Security Policy and for domain computers enable auditing of logon
> events in Domain Security Policy. Be sure to increase the size of your
> security log quite a bit on your domain controllers to sat at least 10MB.
> You would then have to look in the security logs of the domain controllers
> to see the user name and account logon events. There would also be a logon
> event recorded on the domain computer where they logged on though that would
> be more difficult to find though the free tool Event Comb can scan the logs
> of multiple computers for specific events or text strings such as a user or
> computer name. If you have at least one Windows 2003 domain controller you
> can use the new limitlogon RK tool to track user logons. The link below may
> help. -- Steve
>
> http://www.microsoft.com/technet/security/prodtech/windows2000/secmod144.mspx
> http://www.thincomputing.net/newsitem296.html -- limitlogon info and FAQ
> link
>
> <Atlanta Thrashers Fan> wrote in message
> news:95vf61hc3cod07uq8hp2s8vk7uigf5m238@4ax.com...
>
>> I need to know how to find out what computer a user logged in on.
>>I've looked in the Security Event Log, and I see there's a field for
>>it. But, there's no information in that field. It's almost always
>>blank.
>> Also, how can I find out what computer(s) a user is currently
>>logged in on? I have the Windows 2000 Resource Kit, but I haven't
>>seen a tool in there that will tell me. Any help you can give is
>>greatly appreciated.
>
>
>
We use EventComb for just that purpose, and we find it works well for
us. We often need to find out who was where when, the only thing is you
must either have a big enough event log or act fast (as Steven indicated)

Relevant Pages

  • Re: Windows 2000 users accounts get locked out
    ... > These failed logons ... >>account logon events enabled in Domain Security Policy ... > and Domain Controller ...
    (microsoft.public.win2000.security)
  • Re: How to find out what computer a user logged in on.
    ... For a domain your best bet is to enable auditing of logon events in Domain ... Controller Security Policy and for domain computers enable auditing of logon ... security log quite a bit on your domain controllers to sat at least 10MB. ...
    (microsoft.public.win2000.security)
  • Re: Logging in interactively
    ... By default users can logon to all domain computers except domain ... When you check the Local Security Policy be sure to look at the ... Controller Security Policy would have to be modified as those user rights ...
    (microsoft.public.win2000.security)
  • Re: Windows 2000 users accounts get locked out
    ... be "Domain Security Policy" in a default installation - it will NOT work if you do it ... Have you found any failed logon event ID's on any domain computer? ... Have you had a chance to run netdiag and dcdiag on the domain controller and netdiag ...
    (microsoft.public.win2000.security)
  • Re: Help with Security Logs
    ... Security" means that the event was generated by the security ... Primary User is the user context that actually performed the access; ... Client User is the user on behalf of whom the file was accessed. ... The Logon ID fields for Primary User and Client User identify a unique logon ...
    (microsoft.public.security)