login logout help

Posted on 2008-06-17
Last Modified: 2010-04-18
if I see in the logs that a user logged on to a server that would be just that server. we are trying to determin if the user logged on to that server or if someo otehr process replicated etc. it shows the user logged in and edited gpt.ini and then logged out a minute later. how do we determine if they actually logged in to this server it shows he logged in from a terminal server on our network/
Question by:zenworksb
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3

Author Comment

ID: 21806953
i also looked in the server and it did not create a profile very confused by this?
LVL 58

Expert Comment

ID: 21807246
I doubt it was actually a user login event as such. Windows uses the term "login" very loosely. In fact, I expect the event you have seen would just be the user remotely accessing the server by entering \\<server> from another workstation, or even one of Windows' processes accessing it automatically. If it's the gpt.ini file they accessed, I would expect the Group Policy engine to have modified that file. If the user hasn't got elevated privileges over the network, they wouldn't have permission to do that.

The other evidence to show that the user didn't actually log in to the server is no profile was created as you say, so the user cannot have initiated a session on the console or Terminal Services of that server.


Author Comment

ID: 21807305
but why would he have gpt.ini open on a gc in a location somewhere else has elevated privilages but we are trying to figure out why he was on that server did he get his update for gpo from that server
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

LVL 58

Expert Comment

ID: 21807322
If the gpt.ini file was open, then he would have obtained the Group Policy from that server. Any domain controller in his Active Directory site can be picked to do queries such as Group Policy updates, so this GC might just have been the one which was used to run the GPO update.

Author Comment

ID: 21807393
even if he has local dc and this server that we saw this on is in a different state
LVL 58

Accepted Solution

tigermatt earned 500 total points
ID: 21807417
If the server is configured on its own separate Site in Active Directory then he should not be accessing it. However, if his local DC is not also a Global Catalog as per, he may have to go across sites in order to access it.

Featured Post

Edgartown IT Case Study

Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Recover options for a failed domain. 4 51
Group Members to a csv file using PowerShell. 7 41
User Account issue 6 38
Move the SYSVOL and NTDS folder to another drive 5 36
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question