This has me stumped..... The story......

I have Surfcontrol running to log and restrict internet use. I upgraded it this am and to make sure it was working I ran the real-time monitor. Much to my surprise I see a domain admin surfing the net from a PC in a remote location, (across the WAN). Hmmm.... I call the only person at the location that has admin password and ask if she is using that machine. Nope! In fact it belongs to one of her "problem" children who brags about his computer/network prowess. Ok, I have her go to that office and see who he is logged in as. She does a Start-logout and sees that the PC claims he is logged in as himself. Hmmmm.... Ok, Surfcontrol is screwed up..... Just to be sure I run a script to capture the login name of the user logged on to the machine. It says _no-one_ is logged on but I know he is still on the machine because I can see the activity. Ok.... The script failed..... I run it against another machine in that location and it returns a valid domain user logged in. Ahhh.... The script fails against a local login. So I simulate that scenario and lo and behold it returns the local user name........

So now I'm baffled...... SurfControl gets the logged in user name from an agent running on an AD server. As we all know the name is irrelevant it's the SUID that is the key to the user's ID. So how is the machine reporting the user being of a different name to the AD server/SurfControl? How is my script reporting no user, therefore no SUID logged in while I can see the activity generated by a user of some type?

If it is mixing/confusing SUID's wouldn't that be considered a colossal security issue on M$ part?

Any thoughts would be much appreciated.......