Click here to get back home

Missing PC - Want to know who last logged on
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Missing PC - Want to know who last logged on Hugh 06-28-2007
Posted by Hugh on June 28, 2007, 6:50 pm
Please log in for more thread options
 We have a PC that is missing. It is a domain-based PC on a Win 2003 domain.
I have all security event logs from all domain controllers, but no access to
the missing PC's event logs. I also have access to SMS. In the event logs,
I have found several entries for the PC, but can't figure out how to
determine who last logged on. Is it possible without the PC's event logs?
Or with SMS? Thanks.
--
Hugh

Posted by Al Dunbar on June 28, 2007, 8:02 pm
Please log in for more thread options
> We have a PC that is missing. It is a domain-based PC on a Win 2003
> domain.
> I have all security event logs from all domain controllers, but no access
> to
> the missing PC's event logs. I also have access to SMS. In the event
> logs,
> I have found several entries for the PC, but can't figure out how to
> determine who last logged on. Is it possible without the PC's event logs?
> Or with SMS? Thanks.

I think you're out of luck, sorry.

The DC's don't keep track of where a person logs in from. And, while SMS may
indicate who was logged in when it last did a software or hardware scan, I
am almost completely positive that it does not log login events on the
workstations.

You should be able to determine within a week or so when it was last
actually present on your network. Check the modified date for the computer
account, and also the last password change date. Passwords for computer
accounts are changed regularly, and this is reflected in both active
directory and on the actual client computer. The process is done through
some handshaking between the computer and the DC, so you will know that the
computer was "present" on the date the account's password last changed.

/Al



Posted by Hugh on June 28, 2007, 11:26 pm
Please log in for more thread options
I was afraid of that. Thanks for the reply and the tips.
--
Hugh


"Al Dunbar" wrote:

>
> > We have a PC that is missing. It is a domain-based PC on a Win 2003
> > domain.
> > I have all security event logs from all domain controllers, but no access
> > to
> > the missing PC's event logs. I also have access to SMS. In the event
> > logs,
> > I have found several entries for the PC, but can't figure out how to
> > determine who last logged on. Is it possible without the PC's event logs?
> > Or with SMS? Thanks.
>
> I think you're out of luck, sorry.
>
> The DC's don't keep track of where a person logs in from. And, while SMS may
> indicate who was logged in when it last did a software or hardware scan, I
> am almost completely positive that it does not log login events on the
> workstations.
>
> You should be able to determine within a week or so when it was last
> actually present on your network. Check the modified date for the computer
> account, and also the last password change date. Passwords for computer
> accounts are changed regularly, and this is reflected in both active
> directory and on the actual client computer. The process is done through
> some handshaking between the computer and the DC, so you will know that the
> computer was "present" on the date the account's password last changed.
>
> /Al
>
>
>

Posted by Al Dunbar on June 28, 2007, 11:54 pm
Please log in for more thread options
for future use, there are commandline tools available for extracting the
date of last logon for all profile owners on a remote system, here is one:

http://www.microsoft.com/technet/sysinternals/Security/PsLoggedOn.mspx

If theft is a significant problem for you, you could schedule a nightly job
to collect this from your workstations. If it found one missing, it could
send the previous night's report for that workstation to an admin.

Alternately, you could log each session into a log file from your logon
script, and then run a job to process the logs.

Neither will prevent theft, but either could help identifying when it might
have happened, and providing some evidence about who might have been around
at the time. Actually, the logon script approach would pin this down much
more accurately.

/Al

>I was afraid of that. Thanks for the reply and the tips.
> --
> Hugh
>
>
> "Al Dunbar" wrote:
>
>>
>> > We have a PC that is missing. It is a domain-based PC on a Win 2003
>> > domain.
>> > I have all security event logs from all domain controllers, but no
>> > access
>> > to
>> > the missing PC's event logs. I also have access to SMS. In the event
>> > logs,
>> > I have found several entries for the PC, but can't figure out how to
>> > determine who last logged on. Is it possible without the PC's event
>> > logs?
>> > Or with SMS? Thanks.
>>
>> I think you're out of luck, sorry.
>>
>> The DC's don't keep track of where a person logs in from. And, while SMS
>> may
>> indicate who was logged in when it last did a software or hardware scan,
>> I
>> am almost completely positive that it does not log login events on the
>> workstations.
>>
>> You should be able to determine within a week or so when it was last
>> actually present on your network. Check the modified date for the
>> computer
>> account, and also the last password change date. Passwords for computer
>> accounts are changed regularly, and this is reflected in both active
>> directory and on the actual client computer. The process is done through
>> some handshaking between the computer and the DC, so you will know that
>> the
>> computer was "present" on the date the account's password last changed.
>>
>> /Al
>>
>>
>>



Posted by Hugh on June 29, 2007, 12:30 am
Please log in for more thread options
Sounds good. Thanks again.
--
Hugh


"Al Dunbar" wrote:

> for future use, there are commandline tools available for extracting the
> date of last logon for all profile owners on a remote system, here is one:
>
> http://www.microsoft.com/technet/sysinternals/Security/PsLoggedOn.mspx
>
> If theft is a significant problem for you, you could schedule a nightly job
> to collect this from your workstations. If it found one missing, it could
> send the previous night's report for that workstation to an admin.
>
> Alternately, you could log each session into a log file from your logon
> script, and then run a job to process the logs.
>
> Neither will prevent theft, but either could help identifying when it might
> have happened, and providing some evidence about who might have been around
> at the time. Actually, the logon script approach would pin this down much
> more accurately.
>
> /Al
>
> >I was afraid of that. Thanks for the reply and the tips.
> > --
> > Hugh
> >
> >
> > "Al Dunbar" wrote:
> >
> >>
> >> > We have a PC that is missing. It is a domain-based PC on a Win 2003
> >> > domain.
> >> > I have all security event logs from all domain controllers, but no
> >> > access
> >> > to
> >> > the missing PC's event logs. I also have access to SMS. In the event
> >> > logs,
> >> > I have found several entries for the PC, but can't figure out how to
> >> > determine who last logged on. Is it possible without the PC's event
> >> > logs?
> >> > Or with SMS? Thanks.
> >>
> >> I think you're out of luck, sorry.
> >>
> >> The DC's don't keep track of where a person logs in from. And, while SMS
> >> may
> >> indicate who was logged in when it last did a software or hardware scan,
> >> I
> >> am almost completely positive that it does not log login events on the
> >> workstations.
> >>
> >> You should be able to determine within a week or so when it was last
> >> actually present on your network. Check the modified date for the
> >> computer
> >> account, and also the last password change date. Passwords for computer
> >> accounts are changed regularly, and this is reflected in both active
> >> directory and on the actual client computer. The process is done through
> >> some handshaking between the computer and the DC, so you will know that
> >> the
> >> computer was "present" on the date the account's password last changed.
> >>
> >> /Al
> >>
> >>
> >>
>
>
>

Similar ThreadsPosted
Determining when an account last logged in July 10, 2007, 11:20 am
Any way to see which computers a domain account is logged into? April 3, 2006, 11:44 am
Extracting users who have not logged into domain for more than fiv June 4, 2007, 4:12 am
User stays logged in to servers. July 25, 2007, 9:20 am
Determine User Logged Into Remote Machine December 8, 2005, 2:46 am
Possible to display list of machines where user has logged in? December 17, 2007, 11:46 am
Missing Folder July 1, 2005, 9:49 am
Security Tab Missing October 16, 2006, 4:38 pm
Missing Distributed COM Users June 1, 2005, 7:22 am
Builtin Group Missing October 11, 2005, 3:11 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap