Solved

login logout help

Posted on 2008-06-17
6
219 Views
Last Modified: 2010-04-18
if I see in the logs that a user logged on to a server that would be just that server. we are trying to determin if the user logged on to that server or if someo otehr process replicated etc. it shows the user logged in and edited gpt.ini and then logged out a minute later. how do we determine if they actually logged in to this server it shows he logged in from a terminal server on our network/
0
Comment
Question by:zenworksb
  • 3
  • 3
6 Comments
 

Author Comment

by:zenworksb
ID: 21806953
i also looked in the server and it did not create a profile very confused by this?
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21807246
I doubt it was actually a user login event as such. Windows uses the term "login" very loosely. In fact, I expect the event you have seen would just be the user remotely accessing the server by entering \\<server> from another workstation, or even one of Windows' processes accessing it automatically. If it's the gpt.ini file they accessed, I would expect the Group Policy engine to have modified that file. If the user hasn't got elevated privileges over the network, they wouldn't have permission to do that.

The other evidence to show that the user didn't actually log in to the server is no profile was created as you say, so the user cannot have initiated a session on the console or Terminal Services of that server.

-tigermatt
0
 

Author Comment

by:zenworksb
ID: 21807305
but why would he have gpt.ini open on a gc in a location somewhere else has elevated privilages but we are trying to figure out why he was on that server did he get his update for gpo from that server
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 58

Expert Comment

by:tigermatt
ID: 21807322
If the gpt.ini file was open, then he would have obtained the Group Policy from that server. Any domain controller in his Active Directory site can be picked to do queries such as Group Policy updates, so this GC might just have been the one which was used to run the GPO update.
0
 

Author Comment

by:zenworksb
ID: 21807393
even if he has local dc and this server that we saw this on is in a different state
0
 
LVL 58

Accepted Solution

by:
tigermatt earned 500 total points
ID: 21807417
If the server is configured on its own separate Site in Active Directory then he should not be accessing it. However, if his local DC is not also a Global Catalog as per http://support.microsoft.com/kb/313994, he may have to go across sites in order to access it.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Synchronize a new Active Directory domain with an existing Office 365 tenant
This article runs through the process of deploying a single EXE application selectively to a group of user.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question