Re: Security Event Log madness.

From: andy smart (anonymus_at_discussions.microsoft.com)
Date: 04/28/05 

Date: Thu, 28 Apr 2005 14:11:07 +0100

Nunya Beeswax wrote:
> We've had a student in our school system delete a ton of files on
> a server that were wide-open to students. The permissions allowed
> students to delete files because Microsoft Office files need 'Delete'
> permissions or they'll create the filename but the file will be empty.
> The students have their own individual folder for saving files that
> only they can access but most of the teachers had them using the
> 'open' folder. I recovered everything from our backup, but we don't
> want to let this slide.
> Anyway, I know the username of the student that deleted the
> files. But, I need to determine the computer they did it from. I
> know it's one of two computers. I have the security logs from both
> domain controllers, the file server the files were deleted from and
> the computers she logged in on. I see clearly in the log from the
> file server that she deleted the files. But, it doesn't tell me what
> computer the delete command was executed from. I don't see anything
> in ANY of the other security logs that tells me what computer the
> delete command came from.
> I see events 540 & 576 in the log of one of the domain
> controllers involving this user, but the 'Workstation Name' field is
> blank in the 540 events. Surely to God above there is some way to
> find out what computer she actually used, but I don't see anything in
> any of these logs that tells me.
> I need to know what computer she deleted the files from. Also,
> if someone can point me to a good book or online resource that tells
> me how to make sense of the event logs I would REALLY appreciate it.
> Any light you can shed on this would be GREATLY appreciated.

Do you know when the files were deleted? If so you could run the
eventcomb tool (free from somewhere on microsoft.com) to run over the
event logs which should tell you which machine they were on.

BTW, why do you need to know which workstation it was? If you got her
bang to rights why do you need to know where it was done from.

Relevant Pages

  • Re: Security Event Log madness.
    ... I know that it was her username that deleted the files. ... friend was supposed to log her off. ... >> students to delete files because Microsoft Office files need 'Delete' ... I have the security logs from both ...
    (microsoft.public.win2000.security)
  • Re: Re: Irresponsible user stories!
    ... I would really need to have access to the logs to determine who logged in ... at that lab by that name. ... surprised that people get away with this, 97% of the computers I log onto ... that students get away with this stuff, put what gets me is my University ...
    (Debian-User)
  • Security Event Log madness.
    ... a server that were wide-open to students. ... permissions or they'll create the filename but the file will be empty. ... I have the security logs from both ...
    (microsoft.public.win2000.security)
  • Re: Problems with Voice Recognition in classroom setting
    ... Gary Drost wrote: ... > classroom of 28 computers used by students in a high school. ... If a student logs into a PC, ... > have trained the voice recognition but for some reason it doesn't know how ...
    (microsoft.public.office.misc)
  • Re: Problem in Exchange, not many info in logs, please help!
    ... Clear the event logs on the server and connect with a client that has the ... Default Offline Address List ...
    (microsoft.public.windows.server.sbs)