Security Event Log madness.

From: Nunya Beeswax (no email)
Date: 04/26/05 

Date: 26 Apr 2005 15:06:11 -0500

     We've had a student in our school system delete a ton of files on
a server that were wide-open to students. The permissions allowed
students to delete files because Microsoft Office files need 'Delete'
permissions or they'll create the filename but the file will be empty.
The students have their own individual folder for saving files that
only they can access but most of the teachers had them using the
'open' folder. I recovered everything from our backup, but we don't
want to let this slide.
     Anyway, I know the username of the student that deleted the
files. But, I need to determine the computer they did it from. I
know it's one of two computers. I have the security logs from both
domain controllers, the file server the files were deleted from and
the computers she logged in on. I see clearly in the log from the
file server that she deleted the files. But, it doesn't tell me what
computer the delete command was executed from. I don't see anything
in ANY of the other security logs that tells me what computer the
delete command came from.
     I see events 540 & 576 in the log of one of the domain
controllers involving this user, but the 'Workstation Name' field is
blank in the 540 events. Surely to God above there is some way to
find out what computer she actually used, but I don't see anything in
any of these logs that tells me.
     I need to know what computer she deleted the files from. Also,
if someone can point me to a good book or online resource that tells
me how to make sense of the event logs I would REALLY appreciate it.
Any light you can shed on this would be GREATLY appreciated.

Relevant Pages

  • Re: Unable to access System & Application logs
    ... Hi there, I also have about the same problem, cannot access eventlogs ... > automatically generate new, clear logs. ... Check the ntfs permissions on the .evt logs on the dc's to make ... >>> I can view the security log, Directory service, DNS server and File ...
    (microsoft.public.win2000.security)
  • Re: Roaming TS Profiles - Office Desktops Links
    ... Take a look at the permissions of the "All Users" desktop and check the permissions. ... "Andi Maffia" wrote in message ... When a User creates the Link on either server and logs off, ...
    (microsoft.public.windows.terminal_services)
  • Re: Security Event Log madness.
    ... > a server that were wide-open to students. ... I have the security logs from both ... > me how to make sense of the event logs I would REALLY appreciate it. ...
    (microsoft.public.win2000.security)
  • Re: Net::FTP->problem with put
    ... to write to /etc/init.d/ on the ftp server, ... What do the ftp server's logs say about ... not put permissions, as your error messsage says the user you are trying ... wiht has no write permissions on the server you connect to. ...
    (comp.lang.perl.modules)
  • Re: Access to SQL 05 Server Logs
    ... If permissions to the server logs are difficuilt to get hold of then why not log to a different medium? ... Sysadmin is a SQL Server thing and does not really convey any rights over the Server itself. ...
    (microsoft.public.sqlserver.dts)