Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: How to find out who's logged in ?

  1. #1

    How to find out who's logged in ?

    How can you find out who has logged into a NT/2000 computer. If you have the workstations set up not to cash any accounts then they have to authenticate at the domain controler which will do the logging. BUT I'm suspecting one of our users has made himself local Admin... therefore how can I find out who was logged in and when localy.

  2. #2
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Do you have netbios enabled?

    If so... try

    nbtstat -a x.x.x.x
    nbtstat -a hostname

    Should report back who is logged in... as well as services listed and domain names.

    http://jcifs.samba.org/src/docs/nbtcodes.html is a list of the netbios hex codes... so you know what you're looking at.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  3. #3
    excellent link but

    what i ment was who was logged in (let's say) yesterday ... where are the records of that kept

  4. #4
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Unless you have the auditing enabled.. then nope.
    I take it that from your last post that it isn't enabled.

    You might be able to look at the system and application logs and to determine if system changes were made, but it won't give you the username of who made the changes...
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  5. #5
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    One thing to keep in mind is that Windows Events are easily erased as Windows does not have a native syslogd component. If someone is slick enough, they can delete the logs and you'll be out of luck.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  6. #6
    is it possible to erace Widows logs only if you have Administrative priviledges or is there a know vulnerability which will enable regular users to do that

  7. #7
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Originally posted here by unhappyStar_7
    is it possible to erace Widows logs only if you have Administrative priviledges or is there a know vulnerability which will enable regular users to do that
    It's possible to delete the logs if you have admin rights. If you are on a domain you can enable auditting at the domainlevel. This unfortunately wouldn't log local logons on a workstation.

    Use usermanager to check the privs on that workstation and switch on auditting. You can audit logon/logoff and user and group management and check the logs on a regular basis.

    It's easy to check the logs using dumpsec from somarsoft.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  8. #8
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    Why not write a program which scans all the workstations and records the membership of the Administrators group

    Better still, look for anybody except "Administrator" and "Domain Admins" who's in it.

    I don't believe such a program would be difficult to write using ADSI and (for example) VBscript in the WSH.

    Then you could run that program periodically.

  9. #9
    Senior Member
    Join Date
    May 2003
    Posts
    159
    If netbios is enable try Net command....

    Especially try ......

    net sessions

    This would list all the active sessions on ur PC... But this works on the moment...

    If u want to record the logins... I feel u could also try central loginng servers..incase u fear that the logfiles could be deleted from local PC... Normally the central Logging servers have inbuilt security to address the above issues.....

    Regards

    Kalp
    ****** Any man who knows all the answers most likely misunderstood the questions *****

  10. #10
    Senior Member
    Join Date
    Aug 2002
    Posts
    651
    Also, if/when you do enable Security auditing, it will still place another entry (by default) in the Security Log when they clear the log. There are ways around this, of course, but you may not be dealing with someone that knows that.

    If you are using a Windows 2000 domain, then you can enable auditing as a GPO in AD so that you don't have to touch every machine.
    Opinions are like holes - everybody\'s got\'em.

    Smile

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •