• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 234
  • Last Modified:

login logout help

if I see in the logs that a user logged on to a server that would be just that server. we are trying to determin if the user logged on to that server or if someo otehr process replicated etc. it shows the user logged in and edited gpt.ini and then logged out a minute later. how do we determine if they actually logged in to this server it shows he logged in from a terminal server on our network/
0
zenworksb
Asked:
zenworksb
  • 3
  • 3
1 Solution
 
zenworksbAuthor Commented:
i also looked in the server and it did not create a profile very confused by this?
0
 
tigermattCommented:
I doubt it was actually a user login event as such. Windows uses the term "login" very loosely. In fact, I expect the event you have seen would just be the user remotely accessing the server by entering \\<server> from another workstation, or even one of Windows' processes accessing it automatically. If it's the gpt.ini file they accessed, I would expect the Group Policy engine to have modified that file. If the user hasn't got elevated privileges over the network, they wouldn't have permission to do that.

The other evidence to show that the user didn't actually log in to the server is no profile was created as you say, so the user cannot have initiated a session on the console or Terminal Services of that server.

-tigermatt
0
 
zenworksbAuthor Commented:
but why would he have gpt.ini open on a gc in a location somewhere else has elevated privilages but we are trying to figure out why he was on that server did he get his update for gpo from that server
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
tigermattCommented:
If the gpt.ini file was open, then he would have obtained the Group Policy from that server. Any domain controller in his Active Directory site can be picked to do queries such as Group Policy updates, so this GC might just have been the one which was used to run the GPO update.
0
 
zenworksbAuthor Commented:
even if he has local dc and this server that we saw this on is in a different state
0
 
tigermattCommented:
If the server is configured on its own separate Site in Active Directory then he should not be accessing it. However, if his local DC is not also a Global Catalog as per http://support.microsoft.com/kb/313994, he may have to go across sites in order to access it.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now