security audit
- From: aurimas <aurimas@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 2 Apr 2009 23:25:01 -0700
Hi,
we need to audit users activity on particular camputers. Lets say I have an
incident for the particular computer. I know it's IP, from DNS I can found
uot its name. But what else I need is to find users who was using that
computer during some time. I have enabled "Audit account logon events" in GPO
on my Defoult domain Controllers Policy, but I cant see users account that
used that computer. This is my security log in DC:
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 2009.03.30
Time: 13:44:12
User: DARBUOT\UKK-MK-01704$
Computer: MRUCDDC01
Description:
Successful Network Logon:
User Name: UKK-MK-01704$
Domain: DARBUOT
Logon ID: (0x0,0x12A56E4A)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Logon GUID: {5648b24a-aa61-db67-cdfe-b0258417e4c3}
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.32.14
Source Port: 0
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
thank you for help,
Aurimas
.
- Follow-Ups:
- Re: security audit
- From: Meinolf Weber [MVP-DS]
- RE: security audit
- From: aurimas
- Re: security audit
- Prev by Date: Problem installing self-signed certificate
- Next by Date: Re: Windows Server 2008: File disappears from user's view after sa (OT)
- Previous by thread: Problem installing self-signed certificate
- Next by thread: RE: security audit
- Index(es):
Relevant Pages
|
