Is it possible to find which computer the user had logged in when sending an bullying email.

Hi

We have windows 2012 DC and windows 7 PC . One of the student have sent a bullying email to certain mail groups.
Is it possible to find which computer they had logged in  when sending this email. I went his mail box  and I can see in the sent items the mail that he had sent and the time. Will any script do this work to find out the computer.

Any help much appreciated.

Thanks in advance
lianne143Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ful56ukCommented:
You could look at the Domain Controller security event log and search for the username in there
0
AmitIT ArchitectCommented:
Does computer name really matter, if you are able to see in sent items.
0
lydenjCommented:
Your Exchange server's log should tell you the IP of the originating machine based on the time/date of the original email.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

lianne143Author Commented:
If I get the computer name  that will be great. We have DHCP  in our networked and think sometimes the I think the IP address may be allotted to a different PC.

I saw the event in the DC under the security  corresponding to he time that was sent by the user and when I compared the IP, on the DHCP server lease , the IP was a different devise IP , which is unlikely the user might have used that device.

I saw in the exchange server logs , some log show the PC name and the user who sent the bully mail also list , but on the event dosen't show the PC name , which is required.
0
Will SzymkowskiSenior Solution ArchitectCommented:
You will not be able to track the computer that the user logged into unless you have Auditing Enabled on the Default Domain Controllers Policy. Also, if you have left the default SIZE for the Security Logs on your domain controllers this information would most likely been overwritten by now. Security Logs on the DC's should be set to something like 1GB in size to ensure that if you are using some sort of auditing software it will be able to collect the logs before they are overwritten.

A good product for this is Lepide Auditor for Active Directory.
http://www.lepide.com/lepideauditor/active-directory.html

Also if advance logging is not enabled in IIS you will not be able to find the IP address of the client device. Take a look a the below link for details on setting this up.
http://msexchangeguru.com/2012/12/06/find-device-ip/


Will.
0
lianne143Author Commented:
Please see the snapshot hope I am looking on the right place , I think the auditing is not setup, is that true.

On the DC In the security logs I can see logs yesterdays dated till yesterday. So got some time before it over writes.

There are 217600 events and it is difficult to search one by one and it becomes slow sometimes. It is possible to search by name , I have the user name \ save the events and delete the in appropriate ones to narrow down.


Thanks
auditing.PNG
0
Will SzymkowskiSenior Solution ArchitectCommented:
You are correct, Auditing is not enabled on the Default Domain Controllers Policy. This would be why your Security Logs are still from yesterday. When you have auditing enabled, this creates many more security logs. Depending on the size of your environment enabling the Auditing and leaving the default Security Log Size it will overwrite every hour for sure.

Unfortunately you will not be able to get your info you require from the Security Logs, becasue auditing needs to be enable first, before the change happens.

Will.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
lianne143Author Commented:
Thanks
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.