Solved

login logout help

Posted on 2008-06-17
6
218 Views
Last Modified: 2010-04-18
if I see in the logs that a user logged on to a server that would be just that server. we are trying to determin if the user logged on to that server or if someo otehr process replicated etc. it shows the user logged in and edited gpt.ini and then logged out a minute later. how do we determine if they actually logged in to this server it shows he logged in from a terminal server on our network/
0
Comment
Question by:zenworksb
  • 3
  • 3
6 Comments
 

Author Comment

by:zenworksb
ID: 21806953
i also looked in the server and it did not create a profile very confused by this?
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21807246
I doubt it was actually a user login event as such. Windows uses the term "login" very loosely. In fact, I expect the event you have seen would just be the user remotely accessing the server by entering \\<server> from another workstation, or even one of Windows' processes accessing it automatically. If it's the gpt.ini file they accessed, I would expect the Group Policy engine to have modified that file. If the user hasn't got elevated privileges over the network, they wouldn't have permission to do that.

The other evidence to show that the user didn't actually log in to the server is no profile was created as you say, so the user cannot have initiated a session on the console or Terminal Services of that server.

-tigermatt
0
 

Author Comment

by:zenworksb
ID: 21807305
but why would he have gpt.ini open on a gc in a location somewhere else has elevated privilages but we are trying to figure out why he was on that server did he get his update for gpo from that server
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 58

Expert Comment

by:tigermatt
ID: 21807322
If the gpt.ini file was open, then he would have obtained the Group Policy from that server. Any domain controller in his Active Directory site can be picked to do queries such as Group Policy updates, so this GC might just have been the one which was used to run the GPO update.
0
 

Author Comment

by:zenworksb
ID: 21807393
even if he has local dc and this server that we saw this on is in a different state
0
 
LVL 58

Accepted Solution

by:
tigermatt earned 500 total points
ID: 21807417
If the server is configured on its own separate Site in Active Directory then he should not be accessing it. However, if his local DC is not also a Global Catalog as per http://support.microsoft.com/kb/313994, he may have to go across sites in order to access it.
0

Featured Post

[Webinar] Disaster Recovery and Cloud Management

Learn from Unigma and CloudBerry industry veterans which providers are best for certain use cases and how to lower cloud costs, how to grow your Managed Services practice in IaaS clouds, and how to utilize public cloud for Disaster Recovery

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

28 Experts available now in Live!

Get 1:1 Help Now