Solved

I have the computer name, how can I determine which user account logged into this computer last?

Posted on 2008-06-18
3
174 Views
Last Modified: 2010-04-21
A PC who's name I don't recognize was logged connecting to a server via RDP.  I know I can get the mac address from the IP that the computer name resolves to, and then view the arp cache on the Cisco switch to identify which port the suspect computer terminates into...but then I'd have to locate the labeled port in the big office from where it terminates at in the patch panel, and that won't be fun, and will take some time.  Isn't there an easy way that I'm overlooking, to see which user account last logged into a suspect PC?
0
Comment
Question by:guitar_dave
3 Comments
 
LVL 17

Accepted Solution

by:
Andres Perales earned 350 total points
ID: 21815602
You can the security log in the event viewer...you are auditing logs right?
0
 
LVL 30

Assisted Solution

by:LauraEHunterMVP
LauraEHunterMVP earned 150 total points
ID: 21815624
Only if you can connect to the box's Registry remotely. If you can, then interrogate HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\defaultusername (if XP) or  HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI (if Vista)

0
 

Author Closing Comment

by:guitar_dave
ID: 31468510
Thanks, I was able to see that a domain admin account was logged in the servers' security event log at the time of the incident.  I was able to determine who this was because not many of my users know this account's password.
0

Featured Post

Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question