security audit

Hi,

we need to audit users activity on particular camputers. Lets say I have an
incident for the particular computer. I know it's IP, from DNS I can found
uot its name. But what else I need is to find users who was using that
computer during some time. I have enabled "Audit account logon events" in GPO
on my Defoult domain Controllers Policy, but I cant see users account that
used that computer. This is my security log in DC:


Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 2009.03.30
Time: 13:44:12
User: DARBUOT\UKK-MK-01704$
Computer: MRUCDDC01
Description:
Successful Network Logon:
User Name: UKK-MK-01704$
Domain: DARBUOT
Logon ID: (0x0,0x12A56E4A)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Logon GUID: {5648b24a-aa61-db67-cdfe-b0258417e4c3}
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.32.14
Source Port: 0


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

thank you for help,
Aurimas

any ideas ?
thanks

"aurimas" wrote:

> Hi,
>
> we need to audit users activity on particular camputers. Lets say I have an
> incident for the particular computer. I know it's IP, from DNS I can found
> uot its name. But what else I need is to find users who was using that
> computer during some time. I have enabled "Audit account logon events" in GPO
> on my Defoult domain Controllers Policy, but I cant see users account that
> used that computer. This is my security log in DC:
>
>
> Event Type: Success Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 540
> Date: 2009.03.30
> Time: 13:44:12
> User: DARBUOT\UKK-MK-01704$
> Computer: MRUCDDC01
> Description:
> Successful Network Logon:
> User Name: UKK-MK-01704$
> Domain: DARBUOT
> Logon ID: (0x0,0x12A56E4A)
> Logon Type: 3
> Logon Process: Kerberos
> Authentication Package: Kerberos
> Workstation Name:
> Logon GUID: {5648b24a-aa61-db67-cdfe-b0258417e4c3}
> Caller User Name: -
> Caller Domain: -
> Caller Logon ID: -
> Caller Process ID: -
> Transited Services: -
> Source Network Address: 192.168.32.14
> Source Port: 0
>
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
> thank you for help,
> Aurimas
>
>

Hello aurimas,

Have a look on this script:
http://www.rlmueller.net/Logon5.htm

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi,
>
> we need to audit users activity on particular camputers. Lets say I
> have an incident for the particular computer. I know it's IP, from DNS
> I can found uot its name. But what else I need is to find users who
> was using that computer during some time. I have enabled "Audit
> account logon events" in GPO on my Defoult domain Controllers Policy,
> but I cant see users account that used that computer. This is my
> security log in DC:
>
> Event Type: Success Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 540
> Date: 2009.03.30
> Time: 13:44:12
> User: DARBUOT\UKK-MK-01704$
> Computer: MRUCDDC01
> Description:
> Successful Network Logon:
> User Name: UKK-MK-01704$
> Domain: DARBUOT
> Logon ID: (0x0,0x12A56E4A)
> Logon Type: 3
> Logon Process: Kerberos
> Authentication Package: Kerberos
> Workstation Name:
> Logon GUID: {5648b24a-aa61-db67-cdfe-b0258417e4c3}
> Caller User Name: -
> Caller Domain: -
> Caller Logon ID: -
> Caller Process ID: -
> Transited Services: -
> Source Network Address: 192.168.32.14
> Source Port: 0
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
> thank you for help,
> Aurimas

thank you Meinolf for information,

I am affraid about security because user will have write access to this
file. Whatactually i nned is:


I enabled "Audit account logon events" on my DCs. I am colected events from
DCs to SCOM audit databases. How can I get information about user logon
activity on specific PC. Microsoft say that event 672 (ticket log) does not
guaranty successful user logon so as i undesrtand you need to look at 673
(service ticket log) event, else if authentication is used by NTML I need to
look to event 680, so where finally I have to look ?

Using "Forensic_-_All_Events_For_Specified_Computer" I get just information
for my DCs and not for PC's that user was loged on?

So is there any easy way to get user logon activity on PC?

thanks
aurimas




"Meinolf Weber [MVP-DS]" wrote:

> Hello aurimas,
>
> Have a look on this script:
> http://www.rlmueller.net/Logon5.htm
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > Hi,
> >
> > we need to audit users activity on particular camputers. Lets say I
> > have an incident for the particular computer. I know it's IP, from DNS
> > I can found uot its name. But what else I need is to find users who
> > was using that computer during some time. I have enabled "Audit
> > account logon events" in GPO on my Defoult domain Controllers Policy,
> > but I cant see users account that used that computer. This is my
> > security log in DC:
> >
> > Event Type: Success Audit
> > Event Source: Security
> > Event Category: Logon/Logoff
> > Event ID: 540
> > Date: 2009.03.30
> > Time: 13:44:12
> > User: DARBUOT\UKK-MK-01704$
> > Computer: MRUCDDC01
> > Description:
> > Successful Network Logon:
> > User Name: UKK-MK-01704$
> > Domain: DARBUOT
> > Logon ID: (0x0,0x12A56E4A)
> > Logon Type: 3
> > Logon Process: Kerberos
> > Authentication Package: Kerberos
> > Workstation Name:
> > Logon GUID: {5648b24a-aa61-db67-cdfe-b0258417e4c3}
> > Caller User Name: -
> > Caller Domain: -
> > Caller Logon ID: -
> > Caller Process ID: -
> > Transited Services: -
> > Source Network Address: 192.168.32.14
> > Source Port: 0
> > For more information, see Help and Support Center at
> > http://go.microsoft.com/fwlink/events.asp.
> >
> > thank you for help,
> > Aurimas
>
>
>

Hello aurimas,

If you use the link in my previous posting, read it and run the script you
get the information.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> thank you Meinolf for information,
>
> I am affraid about security because user will have write access to
> this file. Whatactually i nned is:
>
> I enabled "Audit account logon events" on my DCs. I am colected events
> from DCs to SCOM audit databases. How can I get information about user
> logon activity on specific PC. Microsoft say that event 672 (ticket
> log) does not guaranty successful user logon so as i undesrtand you
> need to look at 673 (service ticket log) event, else if authentication
> is used by NTML I need to look to event 680, so where finally I have
> to look ?
>
> Using "Forensic_-_All_Events_For_Specified_Computer" I get just
> information for my DCs and not for PC's that user was loged on?
>
> So is there any easy way to get user logon activity on PC?
>
> thanks aurimas
>
> "Meinolf Weber [MVP-DS]" wrote:
>
>> Hello aurimas,
>>
>> Have a look on this script:
>> http://www.rlmueller.net/Logon5.htm
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> Hi,
>>>
>>> we need to audit users activity on particular camputers. Lets say I
>>> have an incident for the particular computer. I know it's IP, from
>>> DNS I can found uot its name. But what else I need is to find users
>>> who was using that computer during some time. I have enabled "Audit
>>> account logon events" in GPO on my Defoult domain Controllers
>>> Policy, but I cant see users account that used that computer. This
>>> is my security log in DC:
>>>
>>> Event Type: Success Audit
>>> Event Source: Security
>>> Event Category: Logon/Logoff
>>> Event ID: 540
>>> Date: 2009.03.30
>>> Time: 13:44:12
>>> User: DARBUOT\UKK-MK-01704$
>>> Computer: MRUCDDC01
>>> Description:
>>> Successful Network Logon:
>>> User Name: UKK-MK-01704$
>>> Domain: DARBUOT
>>> Logon ID: (0x0,0x12A56E4A)
>>> Logon Type: 3
>>> Logon Process: Kerberos
>>> Authentication Package: Kerberos
>>> Workstation Name:
>>> Logon GUID: {5648b24a-aa61-db67-cdfe-b0258417e4c3}
>>> Caller User Name: -
>>> Caller Domain: -
>>> Caller Logon ID: -
>>> Caller Process ID: -
>>> Transited Services: -
>>> Source Network Address: 192.168.32.14
>>> Source Port: 0
>>> For more information, see Help and Support Center at
>>> http://go.microsoft.com/fwlink/events.asp.
>>> thank you for help,
>>> Aurimas

Hello, Meinolf,

using this script during user logon we have to give him write permissions on
that script and this is big security issue, so thats why using security is
better, but i can not find right events to track logon activity in computers,

aurimas

"Meinolf Weber [MVP-DS]" wrote:

> Hello aurimas,
>
> If you use the link in my previous posting, read it and run the script you
> get the information.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > thank you Meinolf for information,
> >
> > I am affraid about security because user will have write access to
> > this file. Whatactually i nned is:
> >
> > I enabled "Audit account logon events" on my DCs. I am colected events
> > from DCs to SCOM audit databases. How can I get information about user
> > logon activity on specific PC. Microsoft say that event 672 (ticket
> > log) does not guaranty successful user logon so as i undesrtand you
> > need to look at 673 (service ticket log) event, else if authentication
> > is used by NTML I need to look to event 680, so where finally I have
> > to look ?
> >
> > Using "Forensic_-_All_Events_For_Specified_Computer" I get just
> > information for my DCs and not for PC's that user was loged on?
> >
> > So is there any easy way to get user logon activity on PC?
> >
> > thanks aurimas
> >
> > "Meinolf Weber [MVP-DS]" wrote:
> >
> >> Hello aurimas,
> >>
> >> Have a look on this script:
> >> http://www.rlmueller.net/Logon5.htm
> >> Best regards
> >>
> >> Meinolf Weber
> >> Disclaimer: This posting is provided "AS IS" with no warranties, and
> >> confers
> >> no rights.
> >> ** Please do NOT email, only reply to Newsgroups
> >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> >>> Hi,
> >>>
> >>> we need to audit users activity on particular camputers. Lets say I
> >>> have an incident for the particular computer. I know it's IP, from
> >>> DNS I can found uot its name. But what else I need is to find users
> >>> who was using that computer during some time. I have enabled "Audit
> >>> account logon events" in GPO on my Defoult domain Controllers
> >>> Policy, but I cant see users account that used that computer. This
> >>> is my security log in DC:
> >>>
> >>> Event Type: Success Audit
> >>> Event Source: Security
> >>> Event Category: Logon/Logoff
> >>> Event ID: 540
> >>> Date: 2009.03.30
> >>> Time: 13:44:12
> >>> User: DARBUOT\UKK-MK-01704$
> >>> Computer: MRUCDDC01
> >>> Description:
> >>> Successful Network Logon:
> >>> User Name: UKK-MK-01704$
> >>> Domain: DARBUOT
> >>> Logon ID: (0x0,0x12A56E4A)
> >>> Logon Type: 3
> >>> Logon Process: Kerberos
> >>> Authentication Package: Kerberos
> >>> Workstation Name:
> >>> Logon GUID: {5648b24a-aa61-db67-cdfe-b0258417e4c3}
> >>> Caller User Name: -
> >>> Caller Domain: -
> >>> Caller Logon ID: -
> >>> Caller Process ID: -
> >>> Transited Services: -
> >>> Source Network Address: 192.168.32.14
> >>> Source Port: 0
> >>> For more information, see Help and Support Center at
> >>> http://go.microsoft.com/fwlink/events.asp.
> >>> thank you for help,
> >>> Aurimas
>
>
>

Hello aurimas,

The user needs right permission to a folder defined in the script where you
can save all the output's. Not to the script itself, so if you create a hidden
share the user wan't see or find it.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hello, Meinolf,
>
> using this script during user logon we have to give him write
> permissions on that script and this is big security issue, so thats
> why using security is better, but i can not find right events to track
> logon activity in computers,
>
> aurimas
>
> "Meinolf Weber [MVP-DS]" wrote:
>
>> Hello aurimas,
>>
>> If you use the link in my previous posting, read it and run the
>> script you get the information.
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> thank you Meinolf for information,
>>>
>>> I am affraid about security because user will have write access to
>>> this file. Whatactually i nned is:
>>>
>>> I enabled "Audit account logon events" on my DCs. I am colected
>>> events from DCs to SCOM audit databases. How can I get information
>>> about user logon activity on specific PC. Microsoft say that event
>>> 672 (ticket log) does not guaranty successful user logon so as i
>>> undesrtand you need to look at 673 (service ticket log) event, else
>>> if authentication is used by NTML I need to look to event 680, so
>>> where finally I have to look ?
>>>
>>> Using "Forensic_-_All_Events_For_Specified_Computer" I get just
>>> information for my DCs and not for PC's that user was loged on?
>>>
>>> So is there any easy way to get user logon activity on PC?
>>>
>>> thanks aurimas
>>>
>>> "Meinolf Weber [MVP-DS]" wrote:
>>>
>>>> Hello aurimas,
>>>>
>>>> Have a look on this script:
>>>> http://www.rlmueller.net/Logon5.htm
>>>> Best regards
>>>> Meinolf Weber
>>>> Disclaimer: This posting is provided "AS IS" with no warranties,
>>>> and
>>>> confers
>>>> no rights.
>>>> ** Please do NOT email, only reply to Newsgroups
>>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>>> Hi,
>>>>>
>>>>> we need to audit users activity on particular camputers. Lets say
>>>>> I have an incident for the particular computer. I know it's IP,
>>>>> from DNS I can found uot its name. But what else I need is to find
>>>>> users who was using that computer during some time. I have enabled
>>>>> "Audit account logon events" in GPO on my Defoult domain
>>>>> Controllers Policy, but I cant see users account that used that
>>>>> computer. This is my security log in DC:
>>>>>
>>>>> Event Type: Success Audit
>>>>> Event Source: Security
>>>>> Event Category: Logon/Logoff
>>>>> Event ID: 540
>>>>> Date: 2009.03.30
>>>>> Time: 13:44:12
>>>>> User: DARBUOT\UKK-MK-01704$
>>>>> Computer: MRUCDDC01
>>>>> Description:
>>>>> Successful Network Logon:
>>>>> User Name: UKK-MK-01704$
>>>>> Domain: DARBUOT
>>>>> Logon ID: (0x0,0x12A56E4A)
>>>>> Logon Type: 3
>>>>> Logon Process: Kerberos
>>>>> Authentication Package: Kerberos
>>>>> Workstation Name:
>>>>> Logon GUID: {5648b24a-aa61-db67-cdfe-b0258417e4c3}
>>>>> Caller User Name: -
>>>>> Caller Domain: -
>>>>> Caller Logon ID: -
>>>>> Caller Process ID: -
>>>>> Transited Services: -
>>>>> Source Network Address: 192.168.32.14
>>>>> Source Port: 0
>>>>> For more information, see Help and Support Center at
>>>>> http://go.microsoft.com/fwlink/events.asp.
>>>>> thank you for help,
>>>>> Aurimas

Hi aurimas,

EventCombMT is a multithreaded tool that can be used to search the event
logs of several different computers for specific events, all from one central
location. You can configure EventCombMT to search the event logs in a very
detailed fashion.
http://www.microsoft.com/downloads/d...displaylang=en


Auditing Security Events Best practices
http://technet.microsoft.com/en-us/l.../cc778162.aspx

HTH
V





"aurimas" wrote:

> Hello, Meinolf,
>
> using this script during user logon we have to give him write permissions on
> that script and this is big security issue, so thats why using security is
> better, but i can not find right events to track logon activity in computers,
>
> aurimas
>
> "Meinolf Weber [MVP-DS]" wrote:
>
> > Hello aurimas,
> >
> > If you use the link in my previous posting, read it and run the script you
> > get the information.
> >
> > Best regards
> >
> > Meinolf Weber
> > Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> > no rights.
> > ** Please do NOT email, only reply to Newsgroups
> > ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> >
> >
> > > thank you Meinolf for information,
> > >
> > > I am affraid about security because user will have write access to
> > > this file. Whatactually i nned is:
> > >
> > > I enabled "Audit account logon events" on my DCs. I am colected events
> > > from DCs to SCOM audit databases. How can I get information about user
> > > logon activity on specific PC. Microsoft say that event 672 (ticket
> > > log) does not guaranty successful user logon so as i undesrtand you
> > > need to look at 673 (service ticket log) event, else if authentication
> > > is used by NTML I need to look to event 680, so where finally I have
> > > to look ?
> > >
> > > Using "Forensic_-_All_Events_For_Specified_Computer" I get just
> > > information for my DCs and not for PC's that user was loged on?
> > >
> > > So is there any easy way to get user logon activity on PC?
> > >
> > > thanks aurimas
> > >
> > > "Meinolf Weber [MVP-DS]" wrote:
> > >
> > >> Hello aurimas,
> > >>
> > >> Have a look on this script:
> > >> http://www.rlmueller.net/Logon5.htm
> > >> Best regards
> > >>
> > >> Meinolf Weber
> > >> Disclaimer: This posting is provided "AS IS" with no warranties, and
> > >> confers
> > >> no rights.
> > >> ** Please do NOT email, only reply to Newsgroups
> > >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> > >>> Hi,
> > >>>
> > >>> we need to audit users activity on particular camputers. Lets say I
> > >>> have an incident for the particular computer. I know it's IP, from
> > >>> DNS I can found uot its name. But what else I need is to find users
> > >>> who was using that computer during some time. I have enabled "Audit
> > >>> account logon events" in GPO on my Defoult domain Controllers
> > >>> Policy, but I cant see users account that used that computer. This
> > >>> is my security log in DC:
> > >>>
> > >>> Event Type: Success Audit
> > >>> Event Source: Security
> > >>> Event Category: Logon/Logoff
> > >>> Event ID: 540
> > >>> Date: 2009.03.30
> > >>> Time: 13:44:12
> > >>> User: DARBUOT\UKK-MK-01704$
> > >>> Computer: MRUCDDC01
> > >>> Description:
> > >>> Successful Network Logon:
> > >>> User Name: UKK-MK-01704$
> > >>> Domain: DARBUOT
> > >>> Logon ID: (0x0,0x12A56E4A)
> > >>> Logon Type: 3
> > >>> Logon Process: Kerberos
> > >>> Authentication Package: Kerberos
> > >>> Workstation Name:
> > >>> Logon GUID: {5648b24a-aa61-db67-cdfe-b0258417e4c3}
> > >>> Caller User Name: -
> > >>> Caller Domain: -
> > >>> Caller Logon ID: -
> > >>> Caller Process ID: -
> > >>> Transited Services: -
> > >>> Source Network Address: 192.168.32.14
> > >>> Source Port: 0
> > >>> For more information, see Help and Support Center at
> > >>> http://go.microsoft.com/fwlink/events.asp.
> > >>> thank you for help,
> > >>> Aurimas
> >
> >
> >