Sign in with
Sign up | Sign in
Your question

Get list of users who logged into Domain Controller?

Last response: in Windows 2000/NT
Share
Anonymous
November 9, 2004 9:38:42 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi,

I know that this is after-the-fact, but is there anything in a Windows
2000 Domain Controller (Windows 2000 Advanced Server) that would allow
us to see who has logged into the DC over time?

We had a very strange incident that appears to have started at the end
of last week, just before the weekend, where all of a sudden, a lot of
things stopped working (not being able to log onto shared drives,
etc.).
I just helped getting things working again this evening, and I was kind
of surprised that the end resolution was that the "Client for Microsoft
Networks" was missing from the Network Properties. Once we re-installed
that, everything appeared to start working, for which I was very
grateful, but now I'm beginning to wonder how that could have happened.

One of the possibilities that I'm wondering about is if someone might
have either inadverdently or maliciously gone in and removed Client for
Microsoft Networks.

Thanks in advance,
Jim
Anonymous
November 10, 2004 12:29:58 AM

Archived from groups: microsoft.public.win2000.security (More info?)

If you want to know who is logging on locally to your domain controller, you
need to enable "Audit logon events" I suggest you also enable "audit account
logon events"
Both of these should be enabled on the domain controller policy.

--
Glenn L

CCNA, MCSE (2000,2003) + Security
"ohaya" <ohaya@cox.net> wrote in message news:41915502.F3FA0F54@cox.net...
> Hi,
>
> I know that this is after-the-fact, but is there anything in a Windows
> 2000 Domain Controller (Windows 2000 Advanced Server) that would allow
> us to see who has logged into the DC over time?
>
> We had a very strange incident that appears to have started at the end
> of last week, just before the weekend, where all of a sudden, a lot of
> things stopped working (not being able to log onto shared drives,
> etc.).
> I just helped getting things working again this evening, and I was kind
> of surprised that the end resolution was that the "Client for Microsoft
> Networks" was missing from the Network Properties. Once we re-installed
> that, everything appeared to start working, for which I was very
> grateful, but now I'm beginning to wonder how that could have happened.
>
> One of the possibilities that I'm wondering about is if someone might
> have either inadverdently or maliciously gone in and removed Client for
> Microsoft Networks.
>
> Thanks in advance,
> Jim
Anonymous
November 10, 2004 10:43:54 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Glenn,

Thanks. I'll try that.

It looks like these are both disabled by default?

Jim




Glenn L wrote:
>
> If you want to know who is logging on locally to your domain controller, you
> need to enable "Audit logon events" I suggest you also enable "audit account
> logon events"
> Both of these should be enabled on the domain controller policy.
>
> --
> Glenn L
Anonymous
November 14, 2004 1:11:01 AM

Archived from groups: microsoft.public.win2000.security (More info?)

They are not enabled by default. The one you want to enable is account logon
events in Domain Controller Security Policy. You will have to examine the
security logs on all the domain controllers as the event will be recorded in
the log of the domain controller that authenticated a user. The free Event
Comb from Microsoft can make it easy to search the security logs of multiple
domain controllers. --- Steve

http://www.microsoft.com/technet/security/guidance/secm... --- MS
white paper on auditing.

"ohaya" <ohaya@cox.net> wrote in message news:41920D0A.8E90EEDE@cox.net...
> Glenn,
>
> Thanks. I'll try that.
>
> It looks like these are both disabled by default?
>
> Jim
>
>
>
>
> Glenn L wrote:
>>
>> If you want to know who is logging on locally to your domain controller,
>> you
>> need to enable "Audit logon events" I suggest you also enable "audit
>> account
>> logon events"
>> Both of these should be enabled on the domain controller policy.
>>
>> --
>> Glenn L
!