lianne143
asked on
Is it possible to find which computer the user had logged in when sending an bullying email.
Hi
We have windows 2012 DC and windows 7 PC . One of the student have sent a bullying email to certain mail groups.
Is it possible to find which computer they had logged in when sending this email. I went his mail box and I can see in the sent items the mail that he had sent and the time. Will any script do this work to find out the computer.
Any help much appreciated.
Thanks in advance
We have windows 2012 DC and windows 7 PC . One of the student have sent a bullying email to certain mail groups.
Is it possible to find which computer they had logged in when sending this email. I went his mail box and I can see in the sent items the mail that he had sent and the time. Will any script do this work to find out the computer.
Any help much appreciated.
Thanks in advance
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Does computer name really matter, if you are able to see in sent items.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
If I get the computer name that will be great. We have DHCP in our networked and think sometimes the I think the IP address may be allotted to a different PC.
I saw the event in the DC under the security corresponding to he time that was sent by the user and when I compared the IP, on the DHCP server lease , the IP was a different devise IP , which is unlikely the user might have used that device.
I saw in the exchange server logs , some log show the PC name and the user who sent the bully mail also list , but on the event dosen't show the PC name , which is required.
I saw the event in the DC under the security corresponding to he time that was sent by the user and when I compared the IP, on the DHCP server lease , the IP was a different devise IP , which is unlikely the user might have used that device.
I saw in the exchange server logs , some log show the PC name and the user who sent the bully mail also list , but on the event dosen't show the PC name , which is required.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Please see the snapshot hope I am looking on the right place , I think the auditing is not setup, is that true.
On the DC In the security logs I can see logs yesterdays dated till yesterday. So got some time before it over writes.
There are 217600 events and it is difficult to search one by one and it becomes slow sometimes. It is possible to search by name , I have the user name \ save the events and delete the in appropriate ones to narrow down.
Thanks
auditing.PNG
On the DC In the security logs I can see logs yesterdays dated till yesterday. So got some time before it over writes.
There are 217600 events and it is difficult to search one by one and it becomes slow sometimes. It is possible to search by name , I have the user name \ save the events and delete the in appropriate ones to narrow down.
Thanks
auditing.PNG
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks