Get list of users who logged into Domain Controller?

  • Thread starter Thread starter ohaya
  • Start date Start date
O

ohaya

Hi,

I know that this is after-the-fact, but is there anything in a Windows
2000 Domain Controller (Windows 2000 Advanced Server) that would allow
us to see who has logged into the DC over time?

We had a very strange incident that appears to have started at the end
of last week, just before the weekend, where all of a sudden, a lot of
things stopped working (not being able to log onto shared drives,
etc.).
I just helped getting things working again this evening, and I was kind
of surprised that the end resolution was that the "Client for Microsoft
Networks" was missing from the Network Properties. Once we re-installed
that, everything appeared to start working, for which I was very
grateful, but now I'm beginning to wonder how that could have happened.

One of the possibilities that I'm wondering about is if someone might
have either inadverdently or maliciously gone in and removed Client for
Microsoft Networks.

Thanks in advance,
Jim
 
If you want to know who is logging on locally to your domain controller, you
need to enable "Audit logon events" I suggest you also enable "audit account
logon events"
Both of these should be enabled on the domain controller policy.
 
They are not enabled by default. The one you want to enable is account logon
events in Domain Controller Security Policy. You will have to examine the
security logs on all the domain controllers as the event will be recorded in
the log of the domain controller that authenticated a user. The free Event
Comb from Microsoft can make it easy to search the security logs of multiple
domain controllers. --- Steve

http://www.microsoft.com/technet/security/guidance/secmod144.mspx --- MS
white paper on auditing.
 
Back
Top