I don't think this can be done. I wouldn't mind hearing differently though.
Best bet probably involves doing a network trace and watching where the specific auth packets are coming in from. Could be kerberos, could be ntlm, etc. I think we were extremely lucky when they finally started flowing up info on failed logons that included the IP. I seem to recall hearing that was pretty involved to get that working. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rachui, Scott Sent: Monday, February 21, 2005 8:53 PM To: [email protected] Subject: [ActiveDir] IP Addresses Logging into AD Is there a way to get a Domain Controller to report (via the Event Log, I assume) which IP Addresses are authenticating against it? We get 5778 events when an IP Address is authenticating against a DC and their subnet isn't defined. But we aren't interested in that. We want them to report it (for short-term diagnostics purposes only) when they do have a site defined. Don't know how this could be done, but I thought I'd ask the experts. Scott List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
