Re: Security Event Log madness.

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 04/29/05 

Date: Thu, 28 Apr 2005 17:14:53 -0500

The links below may help. There are often a sequence of numbers/letters in
the primary logon ID and such in object access events. I don't know if these
indicate the computer. Since you know the computers, you could try to
generate some object access events from each one to see if you can use the
information in the primary logon ID to determine which computer it was.

http://www.windowsitpro.com/Windows/Articles/ArticleID/20563/pg/2/2.html
http://www.microsoft.com/technet/security/prodtech/windows2000/secmod144.mspx

For the future, if you have a Windows 2003 domain controller or can install
one you can use the new limitlogon tool to enforce the numbers of computers
that a user is logged onto at the same time. You can also specify what
domain computers a user can logon to in their account properties in Active
Directory Users and Computers and configure the user rights for logon
locally and deny logon locally to manage what computers users/groups can
logon to. -- Steve

http://www.thincomputing.net/newsitem296.html

<Nunya Beeswax> wrote in message
news:u6k271pmk1chhr20f6prkneqm6jrfol2mu@4ax.com...
> Also, I know that I CAN get the computer name. The problem is
> that I don't know what to look for. Should I look at the log on the
> file server or the workstations? What event IDs am I looking for? I
> have seen events that have a field that shows what computer the event
> was generated from. But, those fields are blank. I obviously don't
> know squat about this so I need some hand-holding. I know how to use
> EventComb, but I don't know what I'm looking for. I know about
> EventID.net, but that only shows me specific info about specific event
> IDs. I would be very greatful if you could point me in the right
> direction or even point me to a good tutorial about how to make sense
> of the event logs. I've done a ton of research on the net, but I
> haven't found a tutorial. Thank you in advance from an event-log
> idiot.
>
> On Thu, 28 Apr 2005 14:11:07 +0100, andy smart
> <anonymus@discussions.microsoft.com> wrote:
>
>>Nunya Beeswax wrote:
>>> We've had a student in our school system delete a ton of files on
>>> a server that were wide-open to students. The permissions allowed
>>> students to delete files because Microsoft Office files need 'Delete'
>>> permissions or they'll create the filename but the file will be empty.
>>> The students have their own individual folder for saving files that
>>> only they can access but most of the teachers had them using the
>>> 'open' folder. I recovered everything from our backup, but we don't
>>> want to let this slide.
>>> Anyway, I know the username of the student that deleted the
>>> files. But, I need to determine the computer they did it from. I
>>> know it's one of two computers. I have the security logs from both
>>> domain controllers, the file server the files were deleted from and
>>> the computers she logged in on. I see clearly in the log from the
>>> file server that she deleted the files. But, it doesn't tell me what
>>> computer the delete command was executed from. I don't see anything
>>> in ANY of the other security logs that tells me what computer the
>>> delete command came from.
>>> I see events 540 & 576 in the log of one of the domain
>>> controllers involving this user, but the 'Workstation Name' field is
>>> blank in the 540 events. Surely to God above there is some way to
>>> find out what computer she actually used, but I don't see anything in
>>> any of these logs that tells me.
>>> I need to know what computer she deleted the files from. Also,
>>> if someone can point me to a good book or online resource that tells
>>> me how to make sense of the event logs I would REALLY appreciate it.
>>> Any light you can shed on this would be GREATLY appreciated.
>>
>>Do you know when the files were deleted? If so you could run the
>>eventcomb tool (free from somewhere on microsoft.com) to run over the
>>event logs which should tell you which machine they were on.
>>
>>BTW, why do you need to know which workstation it was? If you got her
>>bang to rights why do you need to know where it was done from.
>

Relevant Pages

  • Re: Making the case for not installing DCs on remote sites (2xT1 links)
    ... 25,000 users;-) and I don't know how may servers -4,000 perhaps. ... I think that the logon ... >>>>to logon from branch offices where I have no DC+GC there. ... >>>>offices with more than 60 computers. ...
    (microsoft.public.win2000.active_directory)
  • Re: Slow startup after logon
    ... the other computers are just my house computers. ... "John John" wrote: ... At school when you logon you are not connected to any other ... You can enable "verbose logging" and you might find out what ...
    (microsoft.public.windowsxp.general)
  • Re: GPO Policy Auditing Solution
    ... group policy that only applies to a specific group, users or computers. ... > within the Domain Controller's OU and enable account logon auditing in the ... enable auditing for logon events. ...
    (microsoft.public.windows.server.networking)
  • RE: client in Windows XP
    ... > I still cannot reproduce this issue on my own computers with Windows XP SP1 ... Logon with local Administrator. ... After logon, right-click the RDP file and select Edit, I can see the ... Please send me a screenshot of the exact screen when the issue ...
    (microsoft.public.win2000.termserv.clients)
  • Logon problem
    ... I can add computers to the ... But when trying to logon to the domain, ... Ethernet adapter Local Area Connection: ... IP-konfiguration för Windows ...
    (microsoft.public.backoffice.smallbiz2000)