Auditing Domain User LogonsLocked
I need to audit user logons and the workstations they are logging onto. I used to do this with a logon script which dumped the info to a text file, but rogue programs are clearing the text file.
I then tried to enable the Audit account logon events policy on the domain controller (Win 2000). It will show me the user logon events, but the workstation name remains blank. I’ve read this is a default behavior of Kerberos authentication. Is there a way to get the workstation name recorded in these events (Event ID: 540, Source: Security, Category: Logon/Logoff)?