Re: Security Event Log madness.
From: Nunya Beeswax (no email)
Date: 04/28/05
- Next message: Roberto Murasso \(Tiscali\): "certificate authentication"
- Previous message: Sanjay Puri [MSFT]: "Free Download: Visio Connector for MBSA"
- In reply to: andy smart: "Re: Security Event Log madness."
- Next in thread: Joe Rookie: "Re: Security Event Log madness."
- Reply: Joe Rookie: "Re: Security Event Log madness."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 28 Apr 2005 15:22:02 -0500
I know that it was her username that deleted the files. But, she
was logged onto two computers at the same time. She claims that a
friend was using one of the computers logged in under her username
(students have been told repeatedly not to do that) and that the
friend was supposed to log her off. So, even though I know it was her
username, I need to know the computer it was done on. There is a
camera that shows these computers. So, if I know what computer she
or her friend, was on, they can't deny it. Right now, they can blame
it on each other.
On Thu, 28 Apr 2005 14:11:07 +0100, andy smart
<anonymus@discussions.microsoft.com> wrote:
>Nunya Beeswax wrote:
>> We've had a student in our school system delete a ton of files on
>> a server that were wide-open to students. The permissions allowed
>> students to delete files because Microsoft Office files need 'Delete'
>> permissions or they'll create the filename but the file will be empty.
>> The students have their own individual folder for saving files that
>> only they can access but most of the teachers had them using the
>> 'open' folder. I recovered everything from our backup, but we don't
>> want to let this slide.
>> Anyway, I know the username of the student that deleted the
>> files. But, I need to determine the computer they did it from. I
>> know it's one of two computers. I have the security logs from both
>> domain controllers, the file server the files were deleted from and
>> the computers she logged in on. I see clearly in the log from the
>> file server that she deleted the files. But, it doesn't tell me what
>> computer the delete command was executed from. I don't see anything
>> in ANY of the other security logs that tells me what computer the
>> delete command came from.
>> I see events 540 & 576 in the log of one of the domain
>> controllers involving this user, but the 'Workstation Name' field is
>> blank in the 540 events. Surely to God above there is some way to
>> find out what computer she actually used, but I don't see anything in
>> any of these logs that tells me.
>> I need to know what computer she deleted the files from. Also,
>> if someone can point me to a good book or online resource that tells
>> me how to make sense of the event logs I would REALLY appreciate it.
>> Any light you can shed on this would be GREATLY appreciated.
>
>Do you know when the files were deleted? If so you could run the
>eventcomb tool (free from somewhere on microsoft.com) to run over the
>event logs which should tell you which machine they were on.
>
>BTW, why do you need to know which workstation it was? If you got her
>bang to rights why do you need to know where it was done from.
- Next message: Roberto Murasso \(Tiscali\): "certificate authentication"
- Previous message: Sanjay Puri [MSFT]: "Free Download: Visio Connector for MBSA"
- In reply to: andy smart: "Re: Security Event Log madness."
- Next in thread: Joe Rookie: "Re: Security Event Log madness."
- Reply: Joe Rookie: "Re: Security Event Log madness."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
