I think really the best method is to look at the security logs for the machine in question. Look for Event ID 528 on the workstation, with a logon type of 7 (indicates the workstation was unlocked). Especially if the user left his machine on all night, it will periodically generate account logon events on the domain controller throughout the night, so the DC logs won't really tell you what is going on here. If the user logs off his computer and logs back in the next day, you would look for a logon type of 2 for interactive login.
James Winzenz Infrastructure Engineer - Security Pulte Homes Information Services -----Original Message----- From: Ben Scott [mailto:[EMAIL PROTECTED] Posted At: Wednesday, March 05, 2008 10:57 AM Posted To: NTSysadmin Conversation: Security log question Subject: Re: Security log question On Wed, Mar 5, 2008 at 12:48 PM, Joe Heaton <[EMAIL PROTECTED]> wrote: > For instance, there's a handful of entries for one of our developers, > all saying Account Login, for today, but he left his machine on > all night, and unlocked it this morning, so he hasn't logged into > the network at all. I believe unlocking a session only generates an Event Viewer entry on the host being unlocked, not on the DC. The Event ID is the same as a regular initial logon, but the text details show a different logon type. Not very helpful, if you ask me. The consensus seems to be forward events from workstations to a central event collection machine, and then filter there. I've seen suggestions of DIY solutions using an Event Log-to-syslog agent and any of the various syslog watching tools, or commercial products that do it all for you. -- Ben ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by email and delete the message and any file attachments from your computer. Thank you. ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
