Archived from groups: microsoft.public.win2000.security (
More info?)
Be sure you check all the logon event entries. I also see a lot of what you
describe but I also do see events logged with the computer IP as shown
below. I admit that Windows account logon auditing is less than friendly as
in the user is always shown as system in the security log table. If you
enable auditing of logon events in domain computers a logon event will also
be recorded on the domain computer when a domain user logs onto it. ---
Steve
Event Type: Success Audit
Event Source: Security
Event Category: Account Logon
Event ID: 673
Date: 3/9/2005
Time: 8:58:13 PM
User: NT AUTHORITY\SYSTEM
Computer: SERVER1-2003
Description:
Service Ticket Request:
User Name: Administrator@Test1.COM
User Domain: TEST1.COM
Service Name: SERVER1-2003$
Service ID: TEST1\SERVER1-2003$
Ticket Options: 0x40800000
Ticket Encryption Type: 0x17
Client Address: 192.168.1.52
Failure Code: -
Logon GUID: {831290c7-686c-b3cd-0a2f-16c434e9b3fb}
Transited Services: -
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
"Ronald" <Ronald@discussions.microsoft.com> wrote in message
news:C13A9AAC-5E97-4A99-A5DD-95282313C6A0@microsoft.com...
> more information, as you can see, I login from a remote PC to the domain,
> but
> the logon shows the client IP as 127.0.0.1
>
> Authentication Ticket Granted:
> User Name: Administrator
> Supplied Realm Name: ALTDOMAIN
> User ID: %{S-1-5-21-1390850448-2335789268-393128203-500}
> Service Name: krbtgt
> Service ID: %{S-1-5-21-1390850448-2335789268-393128203-502}
> Ticket Options: 0x40810010
> Ticket Encryption Type: 0x17
> Pre-Authentication Type: 2
> Client Address: 127.0.0.1
>
> "Ronald" wrote:
>
>> Hi All,
>> not sure if you come across this problem.
>>
>> I have a domain with 8 members servers. Apparently we had turn on
>> security
>> audit for successful logon as well.
>>
>> The problem is user name, server name etc are correctly captured in the
>> event log(Security( but it does not capture the correct IP of the remote
>> host
>> that login to the domain. The IP shown in the log is 127.0.0.1(local host
>> address). Can anyone help and advise any settings that I have miss out?
>>
>> Regards
>> Ronald
>>