Sign in with
Sign up | Sign in
Your question

How to find out what computer a user logged in on.

Last response: in Windows 2000/NT
Share
Anonymous
a b 8 Security
April 21, 2005 6:43:01 PM

Archived from groups: microsoft.public.win2000.security (More info?)

I need to know how to find out what computer a user logged in on.
I've looked in the Security Event Log, and I see there's a field for
it. But, there's no information in that field. It's almost always
blank.
Also, how can I find out what computer(s) a user is currently
logged in on? I have the Windows 2000 Resource Kit, but I haven't
seen a tool in there that will tell me. Any help you can give is
greatly appreciated.
Anonymous
a b 8 Security
April 21, 2005 7:02:25 PM

Archived from groups: microsoft.public.win2000.security (More info?)

For a domain your best bet is to enable auditing of logon events in Domain
Controller Security Policy and for domain computers enable auditing of logon
events in Domain Security Policy. Be sure to increase the size of your
security log quite a bit on your domain controllers to sat at least 10MB.
You would then have to look in the security logs of the domain controllers
to see the user name and account logon events. There would also be a logon
event recorded on the domain computer where they logged on though that would
be more difficult to find though the free tool Event Comb can scan the logs
of multiple computers for specific events or text strings such as a user or
computer name. If you have at least one Windows 2003 domain controller you
can use the new limitlogon RK tool to track user logons. The link below may
help. -- Steve

http://www.microsoft.com/technet/security/prodtech/wind...
http://www.thincomputing.net/newsitem296.html -- limitlogon info and FAQ
link

<Atlanta Thrashers Fan> wrote in message
news:95vf61hc3cod07uq8hp2s8vk7uigf5m238@4ax.com...
> I need to know how to find out what computer a user logged in on.
> I've looked in the Security Event Log, and I see there's a field for
> it. But, there's no information in that field. It's almost always
> blank.
> Also, how can I find out what computer(s) a user is currently
> logged in on? I have the Windows 2000 Resource Kit, but I haven't
> seen a tool in there that will tell me. Any help you can give is
> greatly appreciated.
Anonymous
a b 8 Security
April 25, 2005 6:54:10 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Steven L Umbach wrote:
> For a domain your best bet is to enable auditing of logon events in Domain
> Controller Security Policy and for domain computers enable auditing of logon
> events in Domain Security Policy. Be sure to increase the size of your
> security log quite a bit on your domain controllers to sat at least 10MB.
> You would then have to look in the security logs of the domain controllers
> to see the user name and account logon events. There would also be a logon
> event recorded on the domain computer where they logged on though that would
> be more difficult to find though the free tool Event Comb can scan the logs
> of multiple computers for specific events or text strings such as a user or
> computer name. If you have at least one Windows 2003 domain controller you
> can use the new limitlogon RK tool to track user logons. The link below may
> help. -- Steve
>
> http://www.microsoft.com/technet/security/prodtech/wind...
> http://www.thincomputing.net/newsitem296.html -- limitlogon info and FAQ
> link
>
> <Atlanta Thrashers Fan> wrote in message
> news:95vf61hc3cod07uq8hp2s8vk7uigf5m238@4ax.com...
>
>> I need to know how to find out what computer a user logged in on.
>>I've looked in the Security Event Log, and I see there's a field for
>>it. But, there's no information in that field. It's almost always
>>blank.
>> Also, how can I find out what computer(s) a user is currently
>>logged in on? I have the Windows 2000 Resource Kit, but I haven't
>>seen a tool in there that will tell me. Any help you can give is
>>greatly appreciated.
>
>
>
We use EventComb for just that purpose, and we find it works well for
us. We often need to find out who was where when, the only thing is you
must either have a big enough event log or act fast (as Steven indicated)
!