Guest aurimas Posted April 2, 2009 Posted April 2, 2009 Hi, we need to audit users activity on particular camputers. Lets say I have an incident for the particular computer. I know it's IP, from DNS I can found uot its name. But what else I need is to find users who was using that computer during some time. I have enabled "Audit account logon events" in GPO on my Defoult domain Controllers Policy, but I cant see users account that used that computer. This is my security log in DC: Event Type: Success Audit Event Source: Security Event Category: Logon/Logoff Event ID: 540 Date: 2009.03.30 Time: 13:44:12 User: DARBUOT\UKK-MK-01704$ Computer: MRUCDDC01 Description: Successful Network Logon: User Name: UKK-MK-01704$ Domain: DARBUOT Logon ID: (0x0,0x12A56E4A) Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: Logon GUID: {5648b24a-aa61-db67-cdfe-b0258417e4c3} Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: 192.168.32.14 Source Port: 0 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. thank you for help, Aurimas Quote
Guest Peter Foldes Posted April 2, 2009 Posted April 2, 2009 Repost this to the server,security newsgroup where it belongs On the web: http://www.microsoft.com/communities/newsg...server.security -- Peter Please Reply to Newsgroup for the benefit of others Requests for assistance by email can not and will not be acknowledged. "aurimas" <aurimas@discussions.microsoft.com> wrote in message news:CB4CA010-5595-4097-9737-E38CADBC1E73@microsoft.com...<span style="color:blue"> > Hi, > > we need to audit users activity on particular camputers. Lets say I have an > incident for the particular computer. I know it's IP, from DNS I can found > uot its name. But what else I need is to find users who was using that > computer during some time. I have enabled "Audit account logon events" in GPO > on my Defoult domain Controllers Policy, but I cant see users account that > used that computer. This is my security log in DC: > > > Event Type: Success Audit > Event Source: Security > Event Category: Logon/Logoff > Event ID: 540 > Date: 2009.03.30 > Time: 13:44:12 > User: DARBUOTUKK-MK-01704$ > Computer: MRUCDDC01 > Description: > Successful Network Logon: > User Name: UKK-MK-01704$ > Domain: DARBUOT > Logon ID: (0x0,0x12A56E4A) > Logon Type: 3 > Logon Process: Kerberos > Authentication Package: Kerberos > Workstation Name: > Logon GUID: {5648b24a-aa61-db67-cdfe-b0258417e4c3} > Caller User Name: - > Caller Domain: - > Caller Logon ID: - > Caller Process ID: - > Transited Services: - > Source Network Address: 192.168.32.14 > Source Port: 0 > > > For more information, see Help and Support Center at > http://go.microsoft.com/fwlink/events.asp. > > thank you for help, > Aurimas > </span> Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.