asked on

Audit User log on

I have a user who thinks he shut his computer off on Friday and when he came in Monday, his computer was logged in. I need to check if his login mane was used on Sunday. He is a domain user on a 2000 - 2003 domain. He has no security logs on his computer. On the domain controller there are security logs with messages for Sunday for various things. The problem is that there are many user names with these messages for Sunday. No one was here on Sunday. Are these messages normal even though no one is logging in and out? How can I check to see the last time this user logged in?

User Logoff:
     User Name:      userA
     Domain:            ABC
     Logon ID:            (0x0,0x387ED1D)
     Logon Type:      3

Special privileges assigned to new logon:
     User Name:      userA
Domain:            ABC
     Logon ID:            (0x0,0x38AB692)
     Privileges:      SeChangeNotifyPrivilege
                  SeBackupPrivilege
                  SeRestorePrivilege
                  SeDebugPrivilege

ASKER CERTIFIED SOLUTION

zvitam

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

mspolter

ASKER

There are 538's in the log for my name for yesterday (Sunday) and I was not here - no one should have my password - so how would there be successful log on and offs by themselves. My computer was left logged in over the weekend. Does kerberos renegotiate by itself if you are logged in and so to say relog in and out which would be logged, or did someone steal my username and password (which I would say is very unlikely)