Re: Security Event Log madness.
From: Nunya Beeswax (no email)
Date: 04/28/05
- Next message: Ken Loveless: "NT4 and 2000 Trust"
- Previous message: Nunya Beeswax: "Re: Security Event Log madness."
- In reply to: andy smart: "Re: Security Event Log madness."
- Next in thread: Steven L Umbach: "Re: Security Event Log madness."
- Reply: Steven L Umbach: "Re: Security Event Log madness."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 28 Apr 2005 16:10:09 -0500
Also, I know that I CAN get the computer name. The problem is
that I don't know what to look for. Should I look at the log on the
file server or the workstations? What event IDs am I looking for? I
have seen events that have a field that shows what computer the event
was generated from. But, those fields are blank. I obviously don't
know squat about this so I need some hand-holding. I know how to use
EventComb, but I don't know what I'm looking for. I know about
EventID.net, but that only shows me specific info about specific event
IDs. I would be very greatful if you could point me in the right
direction or even point me to a good tutorial about how to make sense
of the event logs. I've done a ton of research on the net, but I
haven't found a tutorial. Thank you in advance from an event-log
idiot.
On Thu, 28 Apr 2005 14:11:07 +0100, andy smart
<anonymus@discussions.microsoft.com> wrote:
>Nunya Beeswax wrote:
>> We've had a student in our school system delete a ton of files on
>> a server that were wide-open to students. The permissions allowed
>> students to delete files because Microsoft Office files need 'Delete'
>> permissions or they'll create the filename but the file will be empty.
>> The students have their own individual folder for saving files that
>> only they can access but most of the teachers had them using the
>> 'open' folder. I recovered everything from our backup, but we don't
>> want to let this slide.
>> Anyway, I know the username of the student that deleted the
>> files. But, I need to determine the computer they did it from. I
>> know it's one of two computers. I have the security logs from both
>> domain controllers, the file server the files were deleted from and
>> the computers she logged in on. I see clearly in the log from the
>> file server that she deleted the files. But, it doesn't tell me what
>> computer the delete command was executed from. I don't see anything
>> in ANY of the other security logs that tells me what computer the
>> delete command came from.
>> I see events 540 & 576 in the log of one of the domain
>> controllers involving this user, but the 'Workstation Name' field is
>> blank in the 540 events. Surely to God above there is some way to
>> find out what computer she actually used, but I don't see anything in
>> any of these logs that tells me.
>> I need to know what computer she deleted the files from. Also,
>> if someone can point me to a good book or online resource that tells
>> me how to make sense of the event logs I would REALLY appreciate it.
>> Any light you can shed on this would be GREATLY appreciated.
>
>Do you know when the files were deleted? If so you could run the
>eventcomb tool (free from somewhere on microsoft.com) to run over the
>event logs which should tell you which machine they were on.
>
>BTW, why do you need to know which workstation it was? If you got her
>bang to rights why do you need to know where it was done from.
- Next message: Ken Loveless: "NT4 and 2000 Trust"
- Previous message: Nunya Beeswax: "Re: Security Event Log madness."
- In reply to: andy smart: "Re: Security Event Log madness."
- Next in thread: Steven L Umbach: "Re: Security Event Log madness."
- Reply: Steven L Umbach: "Re: Security Event Log madness."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
