-----Original Message----- From: James Winzenz [mailto:[EMAIL PROTECTED] Subject: RE: Security log question
> Depends on your audit policy. You would need to have audit > account logon events Audit Account Logon events means you are logging when credentials are validated. For a domain account, this event will be logged on a DC. I don't think this is what OP wants. Instead I think OP wants "Audit Account Events". This are logged when user sessions are created/destroyed and are logged on the machine where the session is created (e.g. interactive logon to a desktop, or on a server when you connect to a network share). To the OP: You may need to edit the local security policy to get auditing enabled (Start -> secpol.msc -> Local Policies -> Audit Policy) You can also set this via a GPO that has the relevant computer objects in scope. Cheers Ken > and maybe also audit logon events enabled (at least for > success) in your default computer policy (which would apply to all > non-Domain Controllers in your domain. Check your default computer > policy (or whatever you use in its place) for the audit policy settings. > It is in the following section: > > Computer Configuration\Windows Settings\Security Settings\Local > Policies/Audit Policies section. > > If it is not currently enabled, highly recommended that you take a look > at your audit policy and make changes. Thanks, James Winzenz Infrastructure Engineer - Security Pulte Homes Information Services -----Original Message----- From: Joe Heaton [mailto:[EMAIL PROTECTED] Posted At: Wednesday, March 05, 2008 11:24 AM Posted To: NTSysadmin Conversation: Security log question Subject: RE: Security log question Hmm, is that something I need to tell my machine to log? Looking at my own machine, which I turn off each night, I don't see any 528 entries. Joe Heaton -----Original Message----- From: James Winzenz [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 05, 2008 10:12 AM To: NT System Admin Issues Subject: RE: Security log question I think really the best method is to look at the security logs for the machine in question. Look for Event ID 528 on the workstation, with a logon type of 7 (indicates the workstation was unlocked). Especially if the user left his machine on all night, it will periodically generate account logon events on the domain controller throughout the night, so the DC logs won't really tell you what is going on here. If the user logs off his computer and logs back in the next day, you would look for a logon type of 2 for interactive login. James Winzenz Infrastructure Engineer - Security Pulte Homes Information Services -----Original Message----- From: Ben Scott [mailto:[EMAIL PROTECTED] Posted At: Wednesday, March 05, 2008 10:57 AM Posted To: NTSysadmin Conversation: Security log question Subject: Re: Security log question On Wed, Mar 5, 2008 at 12:48 PM, Joe Heaton <[EMAIL PROTECTED]> wrote: > For instance, there's a handful of entries for one of our developers, > all saying Account Login, for today, but he left his machine on all > night, and unlocked it this morning, so he hasn't logged into the > network at all. I believe unlocking a session only generates an Event Viewer entry on the host being unlocked, not on the DC. The Event ID is the same as a regular initial logon, but the text details show a different logon type. Not very helpful, if you ask me. The consensus seems to be forward events from workstations to a central event collection machine, and then filter there. I've seen suggestions of DIY solutions using an Event Log-to-syslog agent and any of the various syslog watching tools, or commercial products that do it all for you. -- Ben ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by email and delete the message and any file attachments from your computer. Thank you. ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by email and delete the message and any file attachments from your computer. Thank you. ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
