You can enable auditing to track this, but be aware that it can generate
huge security event logs so the default size of those will need to be
increased.
It can be enabled in security settings/local polcies/audit policies/audit
logon events for your domain or domain controller security policy. You can
audit success, failure, or both.
For every interactive logon though (user physically at their machine
entering pw etc which is a type 2 event) you'll see 3 or 4 other events
(usually type 3 which is network connection). These will be generated by
mappped drives, browsing, machines updating secure channels, and any number
of other things the system needs to do all happening behind the scenes, but
all of which will generate audit events, especially when auditing for
successful logons. That's why you'll see "logons" in the middle of the
night when nobody is there.
The following will give you more info about the audit events, but these were
not designed to give a complete/through/definite answer to everything that
happens, rather to be used by admins as an indicator for admins to determine
if there May be a problem that deserves further investigation.
299475 Windows 2000 Security Event Descriptions (Part 1 of 2)
http://support.microsoft.com/?id=299475
301677 Windows 2000 Security Event Descriptions (Part 2 of 2)
http://support.microsoft.com/?id=301677
hope this helps
--
David Brandt
Microsoft Corporation
This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.
