-
June 19th, 2003, 01:04 AM
#1
How to find out who's logged in ?
How can you find out who has logged into a NT/2000 computer. If you have the workstations set up not to cash any accounts then they have to authenticate at the domain controler which will do the logging. BUT I'm suspecting one of our users has made himself local Admin... therefore how can I find out who was logged in and when localy.
-
June 19th, 2003, 01:10 AM
#2
Do you have netbios enabled?
If so... try
nbtstat -a x.x.x.x
nbtstat -a hostname
Should report back who is logged in... as well as services listed and domain names.
http://jcifs.samba.org/src/docs/nbtcodes.html is a list of the netbios hex codes... so you know what you're looking at.
Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
-
June 19th, 2003, 01:13 AM
#3
excellent link but
what i ment was who was logged in (let's say) yesterday ... where are the records of that kept
-
June 19th, 2003, 01:23 AM
#4
Unless you have the auditing enabled.. then nope.
I take it that from your last post that it isn't enabled.
You might be able to look at the system and application logs and to determine if system changes were made, but it won't give you the username of who made the changes...
Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
-
June 19th, 2003, 01:37 AM
#5
One thing to keep in mind is that Windows Events are easily erased as Windows does not have a native syslogd component. If someone is slick enough, they can delete the logs and you'll be out of luck.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
June 19th, 2003, 03:22 AM
#6
is it possible to erace Widows logs only if you have Administrative priviledges or is there a know vulnerability which will enable regular users to do that
-
June 19th, 2003, 10:41 AM
#7
Originally posted here by unhappyStar_7
is it possible to erace Widows logs only if you have Administrative priviledges or is there a know vulnerability which will enable regular users to do that
It's possible to delete the logs if you have admin rights. If you are on a domain you can enable auditting at the domainlevel. This unfortunately wouldn't log local logons on a workstation.
Use usermanager to check the privs on that workstation and switch on auditting. You can audit logon/logoff and user and group management and check the logs on a regular basis.
It's easy to check the logs using dumpsec from somarsoft.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
June 19th, 2003, 11:05 AM
#8
Why not write a program which scans all the workstations and records the membership of the Administrators group
Better still, look for anybody except "Administrator" and "Domain Admins" who's in it.
I don't believe such a program would be difficult to write using ADSI and (for example) VBscript in the WSH.
Then you could run that program periodically.
-
June 19th, 2003, 11:33 AM
#9
Senior Member
If netbios is enable try Net command....
Especially try ......
net sessions
This would list all the active sessions on ur PC... But this works on the moment...
If u want to record the logins... I feel u could also try central loginng servers..incase u fear that the logfiles could be deleted from local PC... Normally the central Logging servers have inbuilt security to address the above issues.....
Regards
Kalp
****** Any man who knows all the answers most likely misunderstood the questions *****
-
June 19th, 2003, 04:12 PM
#10
Also, if/when you do enable Security auditing, it will still place another entry (by default) in the Security Log when they clear the log. There are ways around this, of course, but you may not be dealing with someone that knows that.
If you are using a Windows 2000 domain, then you can enable auditing as a GPO in AD so that you don't have to touch every machine.
Opinions are like holes - everybody\'s got\'em.
Smile
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|