So what you're saying is that the actual Event Viewer entry for a user logging into the network would be on the workstation, not the server?
Joe Heaton -----Original Message----- From: Ben Scott [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 05, 2008 9:57 AM To: NT System Admin Issues Subject: Re: Security log question On Wed, Mar 5, 2008 at 12:48 PM, Joe Heaton <[EMAIL PROTECTED]> wrote: > For instance, there's a handful of entries for one of our developers, > all saying Account Login, for today, but he left his machine on all > night, and unlocked it this morning, so he hasn't logged into the > network at all. I believe unlocking a session only generates an Event Viewer entry on the host being unlocked, not on the DC. The Event ID is the same as a regular initial logon, but the text details show a different logon type. Not very helpful, if you ask me. The consensus seems to be forward events from workstations to a central event collection machine, and then filter there. I've seen suggestions of DIY solutions using an Event Log-to-syslog agent and any of the various syslog watching tools, or commercial products that do it all for you. -- Ben ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
