How can I discover who logged onto a computer

Hi, I am trying to figure out what user account logged into a specific lab computer on a specific time.

Servers: Windows Server 2003 R2
Clients: Windows XP Pro

Unfortunately, we are not running audits on our AD right now.  Is there any other way to figure out who it was?

Thanks for your time.

Bob
rsnellmanIT ManagerAsked:
Who is Participating?
 
Brian PierceConnect With a Mentor PhotographerCommented:
Administrative Tools->Default Domain Controller Policy->Local Settings->Audit Policy

Its also worth noting this http://geekswithblogs.net/woodenshoe/archive/2005/08/30/51642.aspx
0
 
Brian PiercePhotographerCommented:
If auditing was not enabled - then its goiung to be tricky - you could try looking at the date/time stamps on some of the files in the local profiles - other than that...
0
 
Point-In-CyberspaceCommented:
As i can remeber only with auditing enabled you can get this kind of info.
Sorry

0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
rsnellmanIT ManagerAuthor Commented:
Is it possible to turn on auditing via Group Policies on certain computers in specific OU's?
0
 
rsnellmanIT ManagerAuthor Commented:
Unfortunately, we have a device that wipes everything clean once rebooted....so, unfortunately, the computer appears to have been rebooted.  So, no date/time stamp on the profiles are available, because that profile is wiped once the system reboots.   Hmmmmm....well, I guess I need to turn on auditing...

How resource intensive is auditing?  What about network chatter?
0
 
Brian PiercePhotographerCommented:
Is simple to create a child OU, move the computers into it and then enable auditing on the child OU.

Enable auditing will not tell you what has gone on in the past though - its not retrospective
0
 
Brian PiercePhotographerCommented:
Auditing involves no additional network chatter - the logs can get big though - it depends what you audit.
0
 
rsnellmanIT ManagerAuthor Commented:
OK, so, once I turn on auditing, it will tell me any activity for the present and future though, right?  I know I cannot find out past activity, because it wasn't turned on and keeping track of it then, right?
0
 
Brian PiercePhotographerCommented:
Yes
0
 
rsnellmanIT ManagerAuthor Commented:
How do I go about enabling auditing for logon events on say lab computers OU?
0
 
Point-In-CyberspaceCommented:
You can config audit to report only the info you need to reduce performance troubles.
Anyway a little server can audit base events without relevant impact on performance.

The audit policyfor logon and logoff, that is what you need, is applied to the domain controllers and not to the client machines in a domain environment where the logon user is on the domain or to the clients if there are no domains or the user account is in computer management on single machines.


0
 
rsnellmanIT ManagerAuthor Commented:
Ok, so if I have 3 remote sites, which all have at least one domain controller per site, I could/should set up each domain controller of each site to audit the labs at those sites or would it be better to have my main site DC audit the entire domain?

0
 
Brian PierceConnect With a Mentor PhotographerCommented:
The DC that processes the logon will need to audit it - so if you want to audit the complete domain you will need to enable auditing on all DCs - do it via the Domain Controllers Group policy.

You can use EventCombMT to read gather the logs from all DCs http://support.microsoft.com/kb/824209
0
 
rsnellmanIT ManagerAuthor Commented:
So, where do I find the correct location in a Group Policy for the auditing logon/logoff events?
0
 
rsnellmanIT ManagerAuthor Commented:
Can I direct the auditing events to be redirected to a different data path(i.e. to a D: path that has more HDD space.)?
0
 
rsnellmanIT ManagerAuthor Commented:
So, I should make this policy change on the DC Policy....hmmmm...I am only wanting to track/audit the lab computer logons/logoffs..., but if this is a best practice then I guess I should follow it.  Is there a way I can have the DC Policy auditing only the lab computer's access?  Or am I stuck auditing the entire domain (i.e. lab computer, staff, faculty computers, etc.)?
0
 
rsnellmanIT ManagerAuthor Commented:
Maybe, I am just having a bad day, but that blog is just not making any sense.  If I just want to track logon/logoff events to lab computers which one(s) audits do I need to enable?
0
 
rsnellmanIT ManagerAuthor Commented:
OK, I have enabled the following auditing policies on the Default Domain Controllers Policy:

Audit account logon events
Audit account managment
Audit logon events

Hopefully this will give me what I am looking for.

Thanks to all.

Bob
0
 
pga008Commented:

What about to create a log.cmd and add it to the login script? You can import logins.txt or create an odbc connection for the logins.txt in excel.

Patrick

>>>log.cmd
@echo off

IPCONFIG |FIND "IP" > %temp%\TEMPIP.txt
FOR /F "tokens=2 delims=:" %%a in (%temp%\TEMPIP.txt) do set IP=%%a
del %temp%\TEMPIP.txt
set IP=%IP:~1%
echo %IP% >%temp%\ip.txt
echo %date%;%time%;"%IP%";%username%;%computername% >> \\server\SAVE$\logins.txt





0
 
rsnellmanIT ManagerAuthor Commented:
What?  You lost me.  All I want to log is when a domain user account logs onto a domain client computer.  

I just want to keep it simple.   I am beginning to feel a bit overwhelmed in all this...which means I have a lot more to learn about the AD.
0
 
rsnellmanIT ManagerAuthor Commented:
So, which audit event log(s) do I need enabled on the DC Group Policy to accomplish:

track when a domain user account logs onto a specific domain client computer?

Did I enable the correct audits or did I overkill on them?

Thanks again.

Bob
0
 
pga008Commented:
Sorry - I just felt like putting my solution to your problem - actually it has nothing to do with the solution above.

Patrick
0
 
rsnellmanIT ManagerAuthor Commented:
Patrick,
That is ok.  I appreciate all options, but I sometimes am crunched for time by my boss and just trying to do the quickest (is that a word) and simplest solution at  that time.  But all options are nice to have so I can go back and try it out later.

Thanks again.

Bob
0
 
rsnellmanIT ManagerAuthor Commented:
Alright, I have reread this http://www.windowsecurity.com/articles/Windows-Active-Directory-Auditing.html , but according to this, I am not totally for sure which audit event I am wanting...because I do not want to create excess logs in my staff/faculty client computers.  All I am trying to do is keep track of when a student logs onto a lab computer and what lab computer that is.

Any other ideas or clarifications would and will be greatly appreciated.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.