Is it possible to find which computer the user had logged in when sending an bullying email.

Hi

We have windows 2012 DC and windows 7 PC . One of the student have sent a bullying email to certain mail groups.
Is it possible to find which computer they had logged in  when sending this email. I went his mail box  and I can see in the sent items the mail that he had sent and the time. Will any script do this work to find out the computer.

Any help much appreciated.

Thanks in advance
lianne143Asked:
Who is Participating?
 
Will SzymkowskiSenior Solution ArchitectCommented:
You are correct, Auditing is not enabled on the Default Domain Controllers Policy. This would be why your Security Logs are still from yesterday. When you have auditing enabled, this creates many more security logs. Depending on the size of your environment enabling the Auditing and leaving the default Security Log Size it will overwrite every hour for sure.

Unfortunately you will not be able to get your info you require from the Security Logs, becasue auditing needs to be enable first, before the change happens.

Will.
0
 
ful56ukCommented:
You could look at the Domain Controller security event log and search for the username in there
0
 
AmitIT ArchitectCommented:
Does computer name really matter, if you are able to see in sent items.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
lydenjCommented:
Your Exchange server's log should tell you the IP of the originating machine based on the time/date of the original email.
0
 
lianne143Author Commented:
If I get the computer name  that will be great. We have DHCP  in our networked and think sometimes the I think the IP address may be allotted to a different PC.

I saw the event in the DC under the security  corresponding to he time that was sent by the user and when I compared the IP, on the DHCP server lease , the IP was a different devise IP , which is unlikely the user might have used that device.

I saw in the exchange server logs , some log show the PC name and the user who sent the bully mail also list , but on the event dosen't show the PC name , which is required.
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
You will not be able to track the computer that the user logged into unless you have Auditing Enabled on the Default Domain Controllers Policy. Also, if you have left the default SIZE for the Security Logs on your domain controllers this information would most likely been overwritten by now. Security Logs on the DC's should be set to something like 1GB in size to ensure that if you are using some sort of auditing software it will be able to collect the logs before they are overwritten.

A good product for this is Lepide Auditor for Active Directory.
http://www.lepide.com/lepideauditor/active-directory.html

Also if advance logging is not enabled in IIS you will not be able to find the IP address of the client device. Take a look a the below link for details on setting this up.
http://msexchangeguru.com/2012/12/06/find-device-ip/


Will.
0
 
lianne143Author Commented:
Please see the snapshot hope I am looking on the right place , I think the auditing is not setup, is that true.

On the DC In the security logs I can see logs yesterdays dated till yesterday. So got some time before it over writes.

There are 217600 events and it is difficult to search one by one and it becomes slow sometimes. It is possible to search by name , I have the user name \ save the events and delete the in appropriate ones to narrow down.


Thanks
auditing.PNG
0
 
lianne143Author Commented:
Thanks
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.