Solved

login logout help

Posted on 2008-06-17
6
221 Views
Last Modified: 2010-04-18
if I see in the logs that a user logged on to a server that would be just that server. we are trying to determin if the user logged on to that server or if someo otehr process replicated etc. it shows the user logged in and edited gpt.ini and then logged out a minute later. how do we determine if they actually logged in to this server it shows he logged in from a terminal server on our network/
0
Comment
Question by:zenworksb
  • 3
  • 3
6 Comments
 

Author Comment

by:zenworksb
ID: 21806953
i also looked in the server and it did not create a profile very confused by this?
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21807246
I doubt it was actually a user login event as such. Windows uses the term "login" very loosely. In fact, I expect the event you have seen would just be the user remotely accessing the server by entering \\<server> from another workstation, or even one of Windows' processes accessing it automatically. If it's the gpt.ini file they accessed, I would expect the Group Policy engine to have modified that file. If the user hasn't got elevated privileges over the network, they wouldn't have permission to do that.

The other evidence to show that the user didn't actually log in to the server is no profile was created as you say, so the user cannot have initiated a session on the console or Terminal Services of that server.

-tigermatt
0
 

Author Comment

by:zenworksb
ID: 21807305
but why would he have gpt.ini open on a gc in a location somewhere else has elevated privilages but we are trying to figure out why he was on that server did he get his update for gpo from that server
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 58

Expert Comment

by:tigermatt
ID: 21807322
If the gpt.ini file was open, then he would have obtained the Group Policy from that server. Any domain controller in his Active Directory site can be picked to do queries such as Group Policy updates, so this GC might just have been the one which was used to run the GPO update.
0
 

Author Comment

by:zenworksb
ID: 21807393
even if he has local dc and this server that we saw this on is in a different state
0
 
LVL 58

Accepted Solution

by:
tigermatt earned 500 total points
ID: 21807417
If the server is configured on its own separate Site in Active Directory then he should not be accessing it. However, if his local DC is not also a Global Catalog as per http://support.microsoft.com/kb/313994, he may have to go across sites in order to access it.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Linux Samba using Kerberos to Auth from Active Directory 9 70
WMI - Issue Server 2012 R2 1 18
DC - depromo and repromo - impact 7 21
Domian name change 12 23
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This article runs through the process of deploying a single EXE application selectively to a group of user.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question