Avatar of Simon336697
Simon336697
Flag for Australia asked on

Not logging the workstation name

Hi guys hope you are all well and can assist.
We have an AD 2003 domain.

We have auditing enabled for the following events in the Default Domain Controllers Group Policy

Audit account logon events          Success, Failure
Audti account management          Success, Failure
Audit directory service access       Success
Audit logon events                       Success, Failure
Audit object access                       No auditing
Audit policy change                       Success
Audit privilege use                        No auditing
Audit process tracking                  No auditing
Audit system events                     Success

The following event shows you that the "Workstation Name" field is NOT capturing the name of the workstation. It is totally blank.
We want the name of the workstation to be captured, and Im not sure what to do to get this.

The following is seen on the DOMAIN CONTROLLER in its Security Log.

===================================================== Event Log > Security > Event ID 540

Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      540
Date:            11/08/2011
Time:            10:39:49 AM
User:            AN\kxbg
Computer:      AUYNPZ82
Description:
Successful Network Logon:
       User Name:      kxbg
       Domain:            AN
       Logon ID:            (0x0,0x2FDC891B)
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:                                                                --------------------> This is the field we want to capture.
       Logon GUID:      {1a290428-65c6-7ceb-c001-4393c0db2dd5}
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID: -
       Transited Services: -
       Source Network Address:      10.170.0.204
       Source Port:      2697

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


Any help greatly appreciated as to why the name of the workstation is not being captured.

Thanking everyone in advance.
Active Directory

Avatar of undefined
Last Comment
Simon336697

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
Leon Fester

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Simon336697

ASKER
Hi dvt,
Thanks so much for your kind help.
dvt,
Is the logon guid field the name of the workstation?
So, when you do
adfind -sc adguid:1a290428-65c6-7ceb-c001-4393c0db2dd5
Does this return the name of the workstation?
Thanks so much for your help.
Is it also true that because this is kerberos, that kerberos will not log the workstation name? If it was ntlm, it would?
Simon336697

ASKER
dvt,
where you say...
I had a similar issue with nothing being returned in the event logs.
Troubleshooting eventually led me to my Bluecoat device that was trying to authenticate anonymous users.

dvt,
did this bluecoat device stop the workstation name from being logged?
If so, what did you do and did you eventually get the workstation name to be logged?

Thanks dvt.
SOLUTION
Leon Fester

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Simon336697

ASKER
Thanks so much.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck