How to know from which machine a user logged on to the domain

  • Thread starter Thread starter rodriguez.alfonso
  • Start date Start date
R

rodriguez.alfonso

Hi, I have the folloging problem:

I need to know from which machine a user has logged. The actual
infrastructure we have is 4 Domain Controllers (say A,B,C,D), Windows
2000 latest service packs. The domain Policy









The Default Domain Controllers Policy has :

*--------------------------------------------------------------------------*
Policy Setting
Audit account logon events Success, Failure
Audit account management Success
Audit directory service access Success, Failure
Audit logon events Success, Failure
Audit object access Success, Failure
Audit policy change Success
Audit privilege use No auditing
Audit process tracking Success, Failure
Audit system events Success, Failure
*--------------------------------------------------------------------------*

When User JohnDoe logs to the network, in the morning, he generates
this event (540, with Logon Process: Ntlmssp) in various (but not
always all) of the domain controllers.

/--------------------------------------------------------------/
Event 540
Successful Network Logon:
User Name: JohnDoe
Domain: mydomain
Logon ID: (0x0,0x156256FF)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: \\TheMachine
/--------------------------------------------------------------/

He also generates some 540 events that do not say the machine, mostly
with :
Logon Process: Advapi

I need to know if I can, for a user, know when and from which machine,
has logged.
Also, I would like to know why the user generates events 540 in some or
nearly all of the domain controllers.

Thanks and peace to everybody

Alfonso Rodriguez
 
See tip 2890 » LoggedOn freeware locates where a user is logged on or who is logged onto a local or remote computer.
in the 'Tips & Tricks' at http://www.jsifaq.com

See tip 9400 » Which domain users are currently logged onto the consoles of domain computers?

See tip 10492 » How can I record logon and logoff information in both the user account description and the computer account description?



Hi, I have the folloging problem:

I need to know from which machine a user has logged. The actual
infrastructure we have is 4 Domain Controllers (say A,B,C,D), Windows
2000 latest service packs. The domain Policy









The Default Domain Controllers Policy has :

*--------------------------------------------------------------------------*
Policy Setting
Audit account logon events Success, Failure
Audit account management Success
Audit directory service access Success, Failure
Audit logon events Success, Failure
Audit object access Success, Failure
Audit policy change Success
Audit privilege use No auditing
Audit process tracking Success, Failure
Audit system events Success, Failure
*--------------------------------------------------------------------------*

When User JohnDoe logs to the network, in the morning, he generates
this event (540, with Logon Process: Ntlmssp) in various (but not
always all) of the domain controllers.

/--------------------------------------------------------------/
Event 540
Successful Network Logon:
User Name: JohnDoe
Domain: mydomain
Logon ID: (0x0,0x156256FF)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: \\TheMachine
/--------------------------------------------------------------/

He also generates some 540 events that do not say the machine, mostly
with :
Logon Process: Advapi

I need to know if I can, for a user, know when and from which machine,
has logged.
Also, I would like to know why the user generates events 540 in some or
nearly all of the domain controllers.

Thanks and peace to everybody

Alfonso Rodriguez
Click to expand...

Jerold Schulman
Windows Server MVP
JSI, Inc.
http://www.jsiinc.com
http://www.jsifaq.com
 
Back
Top