General discussion

Locked

Auditing Domain User Logons

By Castaway Kid ·
I need to audit user logons and the workstations they are logging onto. I used to do this with a logon script which dumped the info to a text file, but rogue programs are clearing the text file.

I then tried to enable the Audit account logon events policy on the domain controller (Win 2000). It will show me the user logon events, but the workstation name remains blank. I've read this is a default behavior of Kerberos authentication. Is there a way to get the workstation name recorded in these events (Event I 540, Source: Security, Category: Logon/Logoff)?

This conversation is currently closed to new comments.

2 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by Joseph Moore In reply to Auditing Domain User Logo ...

I have to ask, when you say, "rogue programs are clearing the text file," what does that mean???

Personally, I run a command in the user login scripts that writes to a text file, and my file has 2 years of entries in it. No erasing by rogue programs. I find this to be the best way to tell who is logging into where. I do not like using the auditing feature for Successfuly logon events. I only audit FAilures.

Collapse -

by Castaway Kid In reply to Auditing Domain User Logo ...

I should clarify the "rogue program" part. It appears there are programs running on client PCs in two particular labs. The only reason I know it is those two labs is the logon and logoff scripts run twice for some reason on those PCs (I suspect this has something to do with Loopback Policy processing). The text file is cleared immediately after the first logon script runs, but not on the second access. Unfortunately, users signing into these two labs must have local administrative rights on those PCs.

Back to Windows Forum
2 total posts (Page 1 of 1)  

Related Discussions

Related Forums