Solved

How can I discover who logged onto a computer

Posted on 2009-05-18
24
287 Views
Last Modified: 2012-05-07
Hi, I am trying to figure out what user account logged into a specific lab computer on a specific time.

Servers: Windows Server 2003 R2
Clients: Windows XP Pro

Unfortunately, we are not running audits on our AD right now.  Is there any other way to figure out who it was?

Thanks for your time.

Bob
0
Comment
Question by:rsnellman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 14
  • 6
  • 2
  • +1
24 Comments
 
LVL 70

Expert Comment

by:KCTS
ID: 24411870
If auditing was not enabled - then its goiung to be tricky - you could try looking at the date/time stamps on some of the files in the local profiles - other than that...
0
 
LVL 8

Expert Comment

by:Point-In-Cyberspace
ID: 24411877
As i can remeber only with auditing enabled you can get this kind of info.
Sorry

0
 

Author Comment

by:rsnellman
ID: 24411886
Is it possible to turn on auditing via Group Policies on certain computers in specific OU's?
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 

Author Comment

by:rsnellman
ID: 24411902
Unfortunately, we have a device that wipes everything clean once rebooted....so, unfortunately, the computer appears to have been rebooted.  So, no date/time stamp on the profiles are available, because that profile is wiped once the system reboots.   Hmmmmm....well, I guess I need to turn on auditing...

How resource intensive is auditing?  What about network chatter?
0
 
LVL 70

Expert Comment

by:KCTS
ID: 24411911
Is simple to create a child OU, move the computers into it and then enable auditing on the child OU.

Enable auditing will not tell you what has gone on in the past though - its not retrospective
0
 
LVL 70

Expert Comment

by:KCTS
ID: 24411924
Auditing involves no additional network chatter - the logs can get big though - it depends what you audit.
0
 

Author Comment

by:rsnellman
ID: 24411935
OK, so, once I turn on auditing, it will tell me any activity for the present and future though, right?  I know I cannot find out past activity, because it wasn't turned on and keeping track of it then, right?
0
 
LVL 70

Expert Comment

by:KCTS
ID: 24411944
Yes
0
 

Author Comment

by:rsnellman
ID: 24411992
How do I go about enabling auditing for logon events on say lab computers OU?
0
 
LVL 8

Expert Comment

by:Point-In-Cyberspace
ID: 24412006
You can config audit to report only the info you need to reduce performance troubles.
Anyway a little server can audit base events without relevant impact on performance.

The audit policyfor logon and logoff, that is what you need, is applied to the domain controllers and not to the client machines in a domain environment where the logon user is on the domain or to the clients if there are no domains or the user account is in computer management on single machines.


0
 

Author Comment

by:rsnellman
ID: 24412102
Ok, so if I have 3 remote sites, which all have at least one domain controller per site, I could/should set up each domain controller of each site to audit the labs at those sites or would it be better to have my main site DC audit the entire domain?

0
 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 500 total points
ID: 24412133
The DC that processes the logon will need to audit it - so if you want to audit the complete domain you will need to enable auditing on all DCs - do it via the Domain Controllers Group policy.

You can use EventCombMT to read gather the logs from all DCs http://support.microsoft.com/kb/824209
0
 

Author Comment

by:rsnellman
ID: 24412309
So, where do I find the correct location in a Group Policy for the auditing logon/logoff events?
0
 

Author Comment

by:rsnellman
ID: 24412323
Can I direct the auditing events to be redirected to a different data path(i.e. to a D: path that has more HDD space.)?
0
 
LVL 70

Accepted Solution

by:
KCTS earned 500 total points
ID: 24412349
Administrative Tools->Default Domain Controller Policy->Local Settings->Audit Policy

Its also worth noting this http://geekswithblogs.net/woodenshoe/archive/2005/08/30/51642.aspx
0
 

Author Comment

by:rsnellman
ID: 24412495
So, I should make this policy change on the DC Policy....hmmmm...I am only wanting to track/audit the lab computer logons/logoffs..., but if this is a best practice then I guess I should follow it.  Is there a way I can have the DC Policy auditing only the lab computer's access?  Or am I stuck auditing the entire domain (i.e. lab computer, staff, faculty computers, etc.)?
0
 

Author Comment

by:rsnellman
ID: 24413028
Maybe, I am just having a bad day, but that blog is just not making any sense.  If I just want to track logon/logoff events to lab computers which one(s) audits do I need to enable?
0
 

Author Comment

by:rsnellman
ID: 24413266
OK, I have enabled the following auditing policies on the Default Domain Controllers Policy:

Audit account logon events
Audit account managment
Audit logon events

Hopefully this will give me what I am looking for.

Thanks to all.

Bob
0
 

Expert Comment

by:pga008
ID: 24413404

What about to create a log.cmd and add it to the login script? You can import logins.txt or create an odbc connection for the logins.txt in excel.

Patrick

>>>log.cmd
@echo off

IPCONFIG |FIND "IP" > %temp%\TEMPIP.txt
FOR /F "tokens=2 delims=:" %%a in (%temp%\TEMPIP.txt) do set IP=%%a
del %temp%\TEMPIP.txt
set IP=%IP:~1%
echo %IP% >%temp%\ip.txt
echo %date%;%time%;"%IP%";%username%;%computername% >> \\server\SAVE$\logins.txt





0
 

Author Comment

by:rsnellman
ID: 24413432
What?  You lost me.  All I want to log is when a domain user account logs onto a domain client computer.  

I just want to keep it simple.   I am beginning to feel a bit overwhelmed in all this...which means I have a lot more to learn about the AD.
0
 

Author Comment

by:rsnellman
ID: 24413505
So, which audit event log(s) do I need enabled on the DC Group Policy to accomplish:

track when a domain user account logs onto a specific domain client computer?

Did I enable the correct audits or did I overkill on them?

Thanks again.

Bob
0
 

Expert Comment

by:pga008
ID: 24413518
Sorry - I just felt like putting my solution to your problem - actually it has nothing to do with the solution above.

Patrick
0
 

Author Comment

by:rsnellman
ID: 24413549
Patrick,
That is ok.  I appreciate all options, but I sometimes am crunched for time by my boss and just trying to do the quickest (is that a word) and simplest solution at  that time.  But all options are nice to have so I can go back and try it out later.

Thanks again.

Bob
0
 

Author Comment

by:rsnellman
ID: 24413680
Alright, I have reread this http://www.windowsecurity.com/articles/Windows-Active-Directory-Auditing.html , but according to this, I am not totally for sure which audit event I am wanting...because I do not want to create excess logs in my staff/faculty client computers.  All I am trying to do is keep track of when a student logs onto a lab computer and what lab computer that is.

Any other ideas or clarifications would and will be greatly appreciated.
0

Featured Post

[Webinar] Learn How Hackers Steal Your Credentials

Do You Know How Hackers Steal Your Credentials? Join us and Skyport Systems to learn how hackers steal your credentials and why Active Directory must be secure to stop them. Thursday, July 13, 2017 10:00 A.M. PDT

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question