Re: Missing PC - Want to know who last logged on

Sounds good. Thanks again.
--
Hugh


"Al Dunbar" wrote:

for future use, there are commandline tools available for extracting the
date of last logon for all profile owners on a remote system, here is one:

http://www.microsoft.com/technet/sysinternals/Security/PsLoggedOn.mspx

If theft is a significant problem for you, you could schedule a nightly job
to collect this from your workstations. If it found one missing, it could
send the previous night's report for that workstation to an admin.

Alternately, you could log each session into a log file from your logon
script, and then run a job to process the logs.

Neither will prevent theft, but either could help identifying when it might
have happened, and providing some evidence about who might have been around
at the time. Actually, the logon script approach would pin this down much
more accurately.

/Al

"Hugh" <Hugh@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:4BE992A8-3552-4704-A5BB-F5437C73934B@xxxxxxxxxxxxxxxx
I was afraid of that. Thanks for the reply and the tips.
--
Hugh


"Al Dunbar" wrote:


"Hugh" <Hugh@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:15C2B295-CC9B-4803-879B-18B12F6ECB1D@xxxxxxxxxxxxxxxx
We have a PC that is missing. It is a domain-based PC on a Win 2003
domain.
I have all security event logs from all domain controllers, but no
access
to
the missing PC's event logs. I also have access to SMS. In the event
logs,
I have found several entries for the PC, but can't figure out how to
determine who last logged on. Is it possible without the PC's event
logs?
Or with SMS? Thanks.

I think you're out of luck, sorry.

The DC's don't keep track of where a person logs in from. And, while SMS
may
indicate who was logged in when it last did a software or hardware scan,
I
am almost completely positive that it does not log login events on the
workstations.

You should be able to determine within a week or so when it was last
actually present on your network. Check the modified date for the
computer
account, and also the last password change date. Passwords for computer
accounts are changed regularly, and this is reflected in both active
directory and on the actual client computer. The process is done through
some handshaking between the computer and the DC, so you will know that
the
computer was "present" on the date the account's password last changed.

/Al






.

Relevant Pages

  • Re: Hacking attempts?
    ... Windows logs logon type 3 in most cases when you access a computer from elsewhere on the network. ... One of the most common sources of logon events with logon type 3 is connections to shared folders or printers. ... You can use the IIS logs to track down the ip addressthat are attempting unauthorized login. ...
    (microsoft.public.windows.server.sbs)
  • Re: Please Help
    ... In an Active Directory setup I use logon and logoff scripts that log the ... Use the Event logs. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Login Errors Seem to indicate we are being hacked?
    ... wired LAN and I was wondering if the logins were coming through that. ... Switch on SMTP logging and in the logs you will find the IP to block if you ... Logon Failure: ... Caller User Name: SERVER01$ ...
    (microsoft.public.windows.server.sbs)
  • Re: Log file full of security problems!
    ... "Mark Grantom" wrote: ... Associates version of an antivirus program that comes with my DSL ... Primary Logon ID: ... Disable the logging for the time being; Clear the logs or copy them to ...
    (microsoft.public.windowsxp.network_web)
  • Re: Log file full of security problems!
    ... having with my small peer-to-peer network. ... Primary User Name: Mark ... Primary Logon ID: ... Disable the logging for the time being; Clear the logs or copy them to ...
    (microsoft.public.windowsxp.network_web)