General discussion

  • Creator
    Topic
  • #2296708

    Auditing Domain User Logons

    Locked

    by castaway kid ·

    I need to audit user logons and the workstations they are logging onto. I used to do this with a logon script which dumped the info to a text file, but rogue programs are clearing the text file.

    I then tried to enable the Audit account logon events policy on the domain controller (Win 2000). It will show me the user logon events, but the workstation name remains blank. I’ve read this is a default behavior of Kerberos authentication. Is there a way to get the workstation name recorded in these events (Event ID: 540, Source: Security, Category: Logon/Logoff)?

All Comments

  • Author
    Replies
    • #2673548

      Reply To: Auditing Domain User Logons

      by joseph moore ·

      In reply to Auditing Domain User Logons

      I have to ask, when you say, “rogue programs are clearing the text file,” what does that mean???

      Personally, I run a command in the user login scripts that writes to a text file, and my file has 2 years of entries in it. No erasing by rogue programs. I find this to be the best way to tell who is logging into where. I do not like using the auditing feature for Successfuly logon events. I only audit FAilures.

    • #2670824

      Reply To: Auditing Domain User Logons

      by castaway kid ·

      In reply to Auditing Domain User Logons

      I should clarify the “rogue program” part. It appears there are programs running on client PCs in two particular labs. The only reason I know it is those two labs is the logon and logoff scripts run twice for some reason on those PCs (I suspect this has something to do with Loopback Policy processing). The text file is cleared immediately after the first logon script runs, but not on the second access. Unfortunately, users signing into these two labs must have local administrative rights on those PCs.

Viewing 1 reply thread