Re: possible to log when a domain user locks workstation?
- From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 24 Aug 2006 22:24:28 -0500
In particular look for type 7 logons. My experience however is that an event
seems to be recorded when the user unlocks the computer but not when they
lock it. Be sure to test it out to see what the results are. You may want to
implement a policy that users are required to logoff of their computers at
the end of a day with a reminder that lack to do so could result in
discipline and/or loss of data if you are forced to logoff users that just
lock their computers.
Steve
http://www.windowsecurity.com/articles/Logon-Types.html --- Windows logon
types
Logon Type 7 - Unlock
Hopefully the workstations on your network automatically start a password
protected screen saver when a user leaves their computer so that unattended
workstations are protected from malicious use. When a user returns to their
workstation and unlocks the console, Windows treats this as a logon and logs
the appropriate Logon/Logoff event but in this case the logon type will be
7 - identifying the event as a workstation unlock attempt. Failed logons
with logon type 7 indicate either a user entering the wrong password or a
malicious user trying to unlock the computer by guessing the password.
"Reluctant Sys-Admin" <ReluctantSysAdmin@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:4E6E8682-1167-4F8E-A23C-B298AE644271@xxxxxxxxxxxxxxxx
Thanks Adam! I'll give it a try.
"Adam" wrote:
Reluctant Sys-Admin wrote:
I have a 2003 Server domain controller and XP workstations. I am
trying to
audit when domain users log on and off the domain for the day, however,
certain users are not logging off but simply locking the workstation at
the
end of the day and unlocking it the next day. These events do not
appear in
the security events log on the domain controller. Is there any way to
log
when a user locks a workstation either on the domain controller OR on
the
local machine?
Yes -- use group policy to enable logon/logoff success auditing on the
XP workstations.
Basically locking and unlocking a machine doesn't touch the network so
the domain controller will never know -- instead you have to gather
together the audit logs from the workstations.
.
- References:
- Prev by Date: Re: Multiple 538 and 540 ID's in 2003 server Security Events Log?
- Next by Date: Re: Disabling sharing tab in client systems
- Previous by thread: Re: possible to log when a domain user locks workstation?
- Next by thread: winlogon processs hold too much memory
- Index(es):
Relevant Pages
|
