Security Event Log madness.

From: Nunya Beeswax (no email)
Date: 04/26/05

• Next message: Nunya Beeswax: "Decode Event 560"
• Previous message: Gary Massengale: "event id 529 logon type 3 - lots of them"
• Next in thread: andy smart: "Re: Security Event Log madness."
• Reply: andy smart: "Re: Security Event Log madness."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: 26 Apr 2005 15:06:11 -0500

     We've had a student in our school system delete a ton of files on
a server that were wide-open to students. The permissions allowed
students to delete files because Microsoft Office files need 'Delete'
permissions or they'll create the filename but the file will be empty.
The students have their own individual folder for saving files that
only they can access but most of the teachers had them using the
'open' folder. I recovered everything from our backup, but we don't
want to let this slide.
     Anyway, I know the username of the student that deleted the
files. But, I need to determine the computer they did it from. I
know it's one of two computers. I have the security logs from both
domain controllers, the file server the files were deleted from and
the computers she logged in on. I see clearly in the log from the
file server that she deleted the files. But, it doesn't tell me what
computer the delete command was executed from. I don't see anything
in ANY of the other security logs that tells me what computer the
delete command came from.
     I see events 540 & 576 in the log of one of the domain
controllers involving this user, but the 'Workstation Name' field is
blank in the 540 events. Surely to God above there is some way to
find out what computer she actually used, but I don't see anything in
any of these logs that tells me.
     I need to know what computer she deleted the files from. Also,
if someone can point me to a good book or online resource that tells
me how to make sense of the event logs I would REALLY appreciate it.
Any light you can shed on this would be GREATLY appreciated.

---

• Next message: Nunya Beeswax: "Decode Event 560"
• Previous message: Gary Massengale: "event id 529 logon type 3 - lots of them"
• Next in thread: andy smart: "Re: Security Event Log madness."
• Reply: andy smart: "Re: Security Event Log madness."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Unable to access System & Application logs ... Hi there, I also have about the same problem, cannot access eventlogs ... > automatically generate new, clear logs. ... Check the ntfs permissions on the .evt logs on the dc's to make ... >>> I can view the security log, Directory service, DNS server and File ... (microsoft.public.win2000.security) Re: Roaming TS Profiles - Office Desktops Links ... Take a look at the permissions of the "All Users" desktop and check the permissions. ... "Andi Maffia" wrote in message ... When a User creates the Link on either server and logs off, ... (microsoft.public.windows.terminal_services) Re: Security Event Log madness. ... > a server that were wide-open to students. ... I have the security logs from both ... > me how to make sense of the event logs I would REALLY appreciate it. ... (microsoft.public.win2000.security) Re: Restrict MyComputer?? ... Server question from a high school teacher: ... How can I advise my techs to create permissions so that Start> ... MyComputer will ONLY take the student into specific folders on the ... your students should be saving to redirected folders on the ... (microsoft.public.windows.server.general) Re: Restrict MyComputer?? ... Server question from a high school teacher: ... How can I advise my techs to create permissions so that Start> ... MyComputer will ONLY take the student into specific folders on ... your students should be saving to redirected folders on ... (microsoft.public.windows.server.general)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(18)