Solved

How can I discover who logged onto a computer

Posted on 2009-05-18
24
253 Views
Last Modified: 2012-05-07
Hi, I am trying to figure out what user account logged into a specific lab computer on a specific time.

Servers: Windows Server 2003 R2
Clients: Windows XP Pro

Unfortunately, we are not running audits on our AD right now.  Is there any other way to figure out who it was?

Thanks for your time.

Bob
0
Comment
Question by:rsnellman
  • 14
  • 6
  • 2
  • +1
24 Comments
 
LVL 70

Expert Comment

by:KCTS
ID: 24411870
If auditing was not enabled - then its goiung to be tricky - you could try looking at the date/time stamps on some of the files in the local profiles - other than that...
0
 
LVL 8

Expert Comment

by:Point-In-Cyberspace
ID: 24411877
As i can remeber only with auditing enabled you can get this kind of info.
Sorry

0
 

Author Comment

by:rsnellman
ID: 24411886
Is it possible to turn on auditing via Group Policies on certain computers in specific OU's?
0
 

Author Comment

by:rsnellman
ID: 24411902
Unfortunately, we have a device that wipes everything clean once rebooted....so, unfortunately, the computer appears to have been rebooted.  So, no date/time stamp on the profiles are available, because that profile is wiped once the system reboots.   Hmmmmm....well, I guess I need to turn on auditing...

How resource intensive is auditing?  What about network chatter?
0
 
LVL 70

Expert Comment

by:KCTS
ID: 24411911
Is simple to create a child OU, move the computers into it and then enable auditing on the child OU.

Enable auditing will not tell you what has gone on in the past though - its not retrospective
0
 
LVL 70

Expert Comment

by:KCTS
ID: 24411924
Auditing involves no additional network chatter - the logs can get big though - it depends what you audit.
0
 

Author Comment

by:rsnellman
ID: 24411935
OK, so, once I turn on auditing, it will tell me any activity for the present and future though, right?  I know I cannot find out past activity, because it wasn't turned on and keeping track of it then, right?
0
 
LVL 70

Expert Comment

by:KCTS
ID: 24411944
Yes
0
 

Author Comment

by:rsnellman
ID: 24411992
How do I go about enabling auditing for logon events on say lab computers OU?
0
 
LVL 8

Expert Comment

by:Point-In-Cyberspace
ID: 24412006
You can config audit to report only the info you need to reduce performance troubles.
Anyway a little server can audit base events without relevant impact on performance.

The audit policyfor logon and logoff, that is what you need, is applied to the domain controllers and not to the client machines in a domain environment where the logon user is on the domain or to the clients if there are no domains or the user account is in computer management on single machines.


0
 

Author Comment

by:rsnellman
ID: 24412102
Ok, so if I have 3 remote sites, which all have at least one domain controller per site, I could/should set up each domain controller of each site to audit the labs at those sites or would it be better to have my main site DC audit the entire domain?

0
 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 500 total points
ID: 24412133
The DC that processes the logon will need to audit it - so if you want to audit the complete domain you will need to enable auditing on all DCs - do it via the Domain Controllers Group policy.

You can use EventCombMT to read gather the logs from all DCs http://support.microsoft.com/kb/824209
0
 

Author Comment

by:rsnellman
ID: 24412309
So, where do I find the correct location in a Group Policy for the auditing logon/logoff events?
0
 

Author Comment

by:rsnellman
ID: 24412323
Can I direct the auditing events to be redirected to a different data path(i.e. to a D: path that has more HDD space.)?
0
 
LVL 70

Accepted Solution

by:
KCTS earned 500 total points
ID: 24412349
Administrative Tools->Default Domain Controller Policy->Local Settings->Audit Policy

Its also worth noting this http://geekswithblogs.net/woodenshoe/archive/2005/08/30/51642.aspx
0
 

Author Comment

by:rsnellman
ID: 24412495
So, I should make this policy change on the DC Policy....hmmmm...I am only wanting to track/audit the lab computer logons/logoffs..., but if this is a best practice then I guess I should follow it.  Is there a way I can have the DC Policy auditing only the lab computer's access?  Or am I stuck auditing the entire domain (i.e. lab computer, staff, faculty computers, etc.)?
0
 

Author Comment

by:rsnellman
ID: 24413028
Maybe, I am just having a bad day, but that blog is just not making any sense.  If I just want to track logon/logoff events to lab computers which one(s) audits do I need to enable?
0
 

Author Comment

by:rsnellman
ID: 24413266
OK, I have enabled the following auditing policies on the Default Domain Controllers Policy:

Audit account logon events
Audit account managment
Audit logon events

Hopefully this will give me what I am looking for.

Thanks to all.

Bob
0
 

Expert Comment

by:pga008
ID: 24413404

What about to create a log.cmd and add it to the login script? You can import logins.txt or create an odbc connection for the logins.txt in excel.

Patrick

>>>log.cmd
@echo off

IPCONFIG |FIND "IP" > %temp%\TEMPIP.txt
FOR /F "tokens=2 delims=:" %%a in (%temp%\TEMPIP.txt) do set IP=%%a
del %temp%\TEMPIP.txt
set IP=%IP:~1%
echo %IP% >%temp%\ip.txt
echo %date%;%time%;"%IP%";%username%;%computername% >> \\server\SAVE$\logins.txt





0
 

Author Comment

by:rsnellman
ID: 24413432
What?  You lost me.  All I want to log is when a domain user account logs onto a domain client computer.  

I just want to keep it simple.   I am beginning to feel a bit overwhelmed in all this...which means I have a lot more to learn about the AD.
0
 

Author Comment

by:rsnellman
ID: 24413505
So, which audit event log(s) do I need enabled on the DC Group Policy to accomplish:

track when a domain user account logs onto a specific domain client computer?

Did I enable the correct audits or did I overkill on them?

Thanks again.

Bob
0
 

Expert Comment

by:pga008
ID: 24413518
Sorry - I just felt like putting my solution to your problem - actually it has nothing to do with the solution above.

Patrick
0
 

Author Comment

by:rsnellman
ID: 24413549
Patrick,
That is ok.  I appreciate all options, but I sometimes am crunched for time by my boss and just trying to do the quickest (is that a word) and simplest solution at  that time.  But all options are nice to have so I can go back and try it out later.

Thanks again.

Bob
0
 

Author Comment

by:rsnellman
ID: 24413680
Alright, I have reread this http://www.windowsecurity.com/articles/Windows-Active-Directory-Auditing.html , but according to this, I am not totally for sure which audit event I am wanting...because I do not want to create excess logs in my staff/faculty client computers.  All I am trying to do is keep track of when a student logs onto a lab computer and what lab computer that is.

Any other ideas or clarifications would and will be greatly appreciated.
0

Join & Write a Comment

Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now