Finding when & which users login to Win2K

fbrdphreak

Lifer
Apr 17, 2004
17,556
1
0
Hey all,
I need to know how you can find out which users logged into a Win2K Pro system and when they did it. We are running Novell if that makes a difference. Not sure if the event log is enabled by default on these systems. TIA
 

fbrdphreak

Lifer
Apr 17, 2004
17,556
1
0
These are all on the network if that is what you are asking. Specifically we're looking for a way to find out locally if they logged in. Timestamps or log files or something
 

EyeMWing

Banned
Jun 13, 2003
15,670
1
0
Originally posted by: fbrdphreak
These are all on the network if that is what you are asking. Specifically we're looking for a way to find out locally if they logged in. Timestamps or log files or something

... Are the userIDs in question domain users or local users?

Local users, I don't think you can find out. Domain users, check the logs on the domain controller.
 

Rogue

Banned
Jan 28, 2000
5,774
0
0
If auditing wasn't turned on for Logon/Logoff on the local machine it will be tough. Did login ONLY on the local machine? Do you have a network sniffer in the path that could catch the authentication data to/from the box? What do you suspect they did on the Win2k computer? Could any information be leaked from those files? Perhaps a website they visited, etc?
 

Runes911

Golden Member
Dec 6, 2000
1,683
0
76
Originally posted by: EyeMWing
Originally posted by: fbrdphreak
These are all on the network if that is what you are asking. Specifically we're looking for a way to find out locally if they logged in. Timestamps or log files or something

... Are the userIDs in question domain users or local users?

Local users, I don't think you can find out. Domain users, check the logs on the domain controller.

Hmm he said novell doubtful they have a DC.
 

Jzero

Lifer
Oct 10, 1999
18,834
1
0
Originally posted by: fbrdphreak
Domain users, registered with the network & all. Was just hoping for a way to find out locally

If they are domain users, then their logon events should be recorded in the Security Event Log on the DC, along with what workstation originated the logon events.

 

funkymatt

Diamond Member
Jun 2, 2005
3,919
1
81
c:\documents and settings\user

look at the timestamp on the username's folder... thats when they last logged in.
 

acemcmac

Lifer
Mar 31, 2003
13,712
1
0
Originally posted by: funkymatt
c:\documents and settings\user

look at the timestamp on the username's folder... thats when they last logged in.

for the win :beer:
 

fbrdphreak

Lifer
Apr 17, 2004
17,556
1
0
The DC is Novell Netware based, so they're thinking those logs were probably not setup. They know for sure they can check the last time a user logged in & from what IP, but we're not yet sure if the breach was someone logging in to an unauthorized machine w/their ID or the actual user's ID
 

fbrdphreak

Lifer
Apr 17, 2004
17,556
1
0
Unfortunately the possible breach happened around 9/14-9/15 and the proper user has since logged into that system
 

funkymatt

Diamond Member
Jun 2, 2005
3,919
1
81
oh, so someone obtained the username/password and logged in to the machine that normally uses that username? that complicates things a bit.
 

fbrdphreak

Lifer
Apr 17, 2004
17,556
1
0
We're not sure. We will be checking the profiles (when a new user logins in through novell on a machine it creates that user's profile under "doc & settings") to see if someone unauthorized logged in with THEIR OWN acct, otherwise they probably breached the authorized user's acct. not sure which yet
 

CVSiN

Diamond Member
Jul 19, 2004
9,301
0
0
this is why AD rocks... novell = yuck... we can tell to the second when any user logs into the domain from citrix/ipass/termserver or local workstation.
 

hevnsnt

Lifer
Mar 18, 2000
10,868
1
0
Right click on "My Computer" go to manage.

Click the plus next to event viewer
Select Secuity
See who logged in.
 

fbrdphreak

Lifer
Apr 17, 2004
17,556
1
0
Problem with that is we think the images on these machines have event log disabled by default or something, but thx
 

Jzero

Lifer
Oct 10, 1999
18,834
1
0
Originally posted by: fbrdphreak
Problem with that is we think the images on these machines have event log disabled by default or something, but thx

*forehead slap*

Use Group Policy to enable logging!!