Solved

Audit User log on

Posted on 2004-09-20
2
160 Views
Last Modified: 2013-12-04
I have a user who thinks he shut his computer off on Friday and when he came in Monday, his computer was logged in. I need to check if his login mane was used on Sunday. He is a domain user on a 2000 - 2003 domain. He has no security logs on his computer. On the domain controller there are security logs with messages for Sunday for various things. The problem is that there are many user names with these messages for Sunday. No one was here on Sunday. Are these messages normal even though no one is logging in and out? How can I check to see the last time this user logged in?

User Logoff:
       User Name:      userA
       Domain:            ABC
       Logon ID:            (0x0,0x387ED1D)
       Logon Type:      3

Special privileges assigned to new logon:
       User Name:      userA
                Domain:            ABC
       Logon ID:            (0x0,0x38AB692)
       Privileges:      SeChangeNotifyPrivilege
                  SeBackupPrivilege
                  SeRestorePrivilege
                  SeDebugPrivilege
0
Comment
Question by:mspolter
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 12

Accepted Solution

by:
zvitam earned 350 total points
ID: 12105343
look the the follwing URL you have a complete list of all security event IDs, look for event 528 to see when this user logged on, and event 538 to when he logged off.

http://www.privacywindows.com/securityfaq/security_systems.html
0
 

Author Comment

by:mspolter
ID: 12105911
There are 538's in the log for my name for yesterday (Sunday) and I was not here - no one should have my password - so how would there be successful log on and offs by themselves. My computer was left logged in over the weekend. Does kerberos renegotiate by itself if you are logged in and so to say relog in and out which would be logged, or did someone steal my username and password (which I would say is very unlikely)
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question