login audit

October 28, 2010 at 19:09:06
Specs: Windows XP, 1G
We have a windows 2003 server with xp pro client, clients login to our server and has a shared map drive to access docs, but recently a user complain that the file is read only and I can see on the server that 1 user has opened it twice under open files, but when I go to the users computer they have not, so I assume the same user have login to another machine and opened it, how do I check all my machines to see what they have login as and have a log?

I thought I would use Languard network scan and scan my network and it should show login name for each machine. But I have to do it right then when this situation happens because I don't have a log.

Or is there another way to audit the login to show what each machine is login as under windows 2003 AD?

Thanks


See More: login audit

Report •

#1
October 29, 2010 at 13:04:47

Report •

#2
October 29, 2010 at 23:37:58
I have tried Languard and for some reason it doesn't show login users to the computer, but my WIndows 2003 server shows the sessions which has the IP address of the computer and who is logged in and open files which also shows the users opened files, so how do I log this? Willl the audit login events shows this? since the audit login account also shows the person has login successful or failed but no other details of what machine etc. I am trying to check if the same users is login to 2 or more different machines and open the same files on 2 or more different machines.
Thanks

Report •

#3
October 31, 2010 at 08:29:59
If you want to see, at the momen,t if someone is logged in twice and accessing the same files look at the server shares and open files.

auditing files is one operation
auditing logons is another operation

between both and filtering the event viewer you should be able to get what you want.


Report •

Related Solutions

#4
October 31, 2010 at 23:07:20
I need a log of the sessions and opened files under server shares and open files and the audit files and login won't shows this, any ideas how I can get this?
Thanks

Report •

#5
November 1, 2010 at 10:07:02
no auditing for open sessions that I am aware of. Usually if the file has been open when you double click on it it tells you what account has it open.

Perhaps you could get this with 3rd party


Report •

#6
November 1, 2010 at 21:16:35
I have an idea Wanderer, I can run s bat file to do net session >>D:\session.log
But how to do loop it so it contiunes update?
Thanks


Report •

#7
November 2, 2010 at 08:03:23
at the end of the script you call the same batch file again. This will make it loop.

but if you are going to do that you might was well write a script that limits users to one logon. Did this back in NT days. User logs in and you create a file. User logs out the file is deleted. if the user logs in a second time, you check to see if the file exists and if it does you auto log them out.

might want to post the request in the programming forum.


Report •

#8
November 3, 2010 at 08:51:51
I can do that with a utils for 2003 server to stop concurrent login but I didn;t want to do that as I just want to monitor 1 user from logging to 2 machines.

Report •

#9
November 3, 2010 at 09:39:31
same principle then. put a script in the users logon that captures the machine name and writes it to a file you can review.

Report •

#10
November 4, 2010 at 04:46:42
Do you have a working script I can try, I was thinking of running a script net session >>\\server\logs\session.log for everyone that logins to the server, this will show the session.log of everyone's details.? also net file will show me the files open

This should tell me any users login to 2 different terminals.

Only problem is the log file gets bigger, how do I make it so it overwrites the existing file?


Report •

#11
November 4, 2010 at 23:31:11
I think I do need the file updated rather than deleted so I can see the history of net sessions but it doesn't give me the time of the users login.
Another thing it doesn't work when I put it in the login script, the script runs on the local computer and not the server.
Any ideas.
My .bat script when a users logins.

net session >>\\server\logs\session.log


Report •

Ask Question