Finding the computer used to change domain... Expand / Collapse
Author
Message
Posted 9/14/2009 2:14:34 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 9/14/2009 11:21:07 AM
Posts: 2, Visits: 0
Hi,

 I'm trying to figure out when a user change password, what computer the password change request came from.

I can't see this information neither on Domain Controller, not in the computer.

Thank you for any help

Post #207
Posted 9/14/2009 3:58:22 PM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
  1. Get the Caller Logon ID from this event.
  2. look backwards in same log for event 528 or 540 with the same logon ID
  3. look in that 528 or 540 event for Workstation Name and/or Source Network Address
Post #208
Posted 9/14/2009 5:05:20 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 9/14/2009 11:21:07 AM
Posts: 2, Visits: 0
Thank you for your prompt reply.

Another thing if I may. When user logs in to his computer, lots of Logon Type 3 are generated in the DC. Is there a way to know their login one, or unlock PC one. I know in computers it generates Logon type 2, or 7,but in DC I can't figure out which one is used to login, and which one to access resources.

Thank you very much for your support.

Post #209
Posted 9/14/2009 5:30:26 PM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
No, those 540 logon type 3 events are associated with the computer reading group policy and other AD stuff.  Only place to get what you are looking for is where you already found it - on the workstation.
Post #210
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 10:49am