Click here to get back home

possible to log when a domain user locks workstation?
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
possible to log when a domain user locks workstation? Reluctant Sys-A 08-23-2006
Get Chitika Premium
Posted by Reluctant Sys-A on August 23, 2006, 12:41 am
Please log in for more thread options
 I have a 2003 Server domain controller and XP workstations. I am trying to
audit when domain users log on and off the domain for the day, however,
certain users are not logging off but simply locking the workstation at the
end of the day and unlocking it the next day. These events do not appear in
the security events log on the domain controller. Is there any way to log
when a user locks a workstation either on the domain controller OR on the
local machine?

Posted by Adam on August 23, 2006, 4:15 pm
Please log in for more thread options
 Reluctant Sys-Admin wrote:
> I have a 2003 Server domain controller and XP workstations. I am trying to
> audit when domain users log on and off the domain for the day, however,
> certain users are not logging off but simply locking the workstation at the
> end of the day and unlocking it the next day. These events do not appear in
> the security events log on the domain controller. Is there any way to log
> when a user locks a workstation either on the domain controller OR on the
> local machine?

Yes -- use group policy to enable logon/logoff success auditing on the
XP workstations.

Basically locking and unlocking a machine doesn't touch the network so
the domain controller will never know -- instead you have to gather
together the audit logs from the workstations.

Posted by Reluctant Sys-A on August 23, 2006, 7:57 pm
Please log in for more thread options
Thanks Adam! I'll give it a try.

"Adam" wrote:

> Reluctant Sys-Admin wrote:
> > I have a 2003 Server domain controller and XP workstations. I am trying to
> > audit when domain users log on and off the domain for the day, however,
> > certain users are not logging off but simply locking the workstation at the
> > end of the day and unlocking it the next day. These events do not appear in
> > the security events log on the domain controller. Is there any way to log
> > when a user locks a workstation either on the domain controller OR on the
> > local machine?
>
> Yes -- use group policy to enable logon/logoff success auditing on the
> XP workstations.
>
> Basically locking and unlocking a machine doesn't touch the network so
> the domain controller will never know -- instead you have to gather
> together the audit logs from the workstations.
>

Posted by Steven L Umbach on August 24, 2006, 11:24 pm
Please log in for more thread options
In particular look for type 7 logons. My experience however is that an event
seems to be recorded when the user unlocks the computer but not when they
lock it. Be sure to test it out to see what the results are. You may want to
implement a policy that users are required to logoff of their computers at
the end of a day with a reminder that lack to do so could result in
discipline and/or loss of data if you are forced to logoff users that just
lock their computers.

Steve

http://www.windowsecurity.com/articles/Logon-Types.html --- Windows logon
types

Logon Type 7 - Unlock
Hopefully the workstations on your network automatically start a password
protected screen saver when a user leaves their computer so that unattended
workstations are protected from malicious use. When a user returns to their
workstation and unlocks the console, Windows treats this as a logon and logs
the appropriate Logon/Logoff event but in this case the logon type will be
7 - identifying the event as a workstation unlock attempt. Failed logons
with logon type 7 indicate either a user entering the wrong password or a
malicious user trying to unlock the computer by guessing the password.


> Thanks Adam! I'll give it a try.
>
> "Adam" wrote:
>
>> Reluctant Sys-Admin wrote:
>> > I have a 2003 Server domain controller and XP workstations. I am
>> > trying to
>> > audit when domain users log on and off the domain for the day, however,
>> > certain users are not logging off but simply locking the workstation at
>> > the
>> > end of the day and unlocking it the next day. These events do not
>> > appear in
>> > the security events log on the domain controller. Is there any way to
>> > log
>> > when a user locks a workstation either on the domain controller OR on
>> > the
>> > local machine?
>>
>> Yes -- use group policy to enable logon/logoff success auditing on the
>> XP workstations.
>>
>> Basically locking and unlocking a machine doesn't touch the network so
>> the domain controller will never know -- instead you have to gather
>> together the audit logs from the workstations.
>>



Similar ThreadsPosted
user account get locks frequently March 26, 2007, 6:33 am
Add workstation to Domain July 28, 2006, 10:48 am
IAS + user smartcard + workstation certificate July 6, 2007, 9:48 am
Access is denied when trying to add a workstation to a new domain December 11, 2006, 3:12 pm
Windows 2003 Single Mode - Workstation Login says: DOMAIN (Win 200 January 10, 2006, 8:41 pm
EFS locks up system January 5, 2007, 12:23 pm
Window Computer Locks February 6, 2007, 1:16 pm
Accessing shares locks my account March 9, 2006, 10:14 am
Allowing a Domain User Admin Rights to a Couple of Domain Servers June 29, 2005, 8:13 pm
domain access control for local user of domain computer? April 3, 2008, 5:14 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap