|
|
|
Forum Newbie
Group: Forum Members
Last Login: 9/14/2009 11:21:07 AM
Posts: 2,
Visits: 0
|
|
| Hi, I'm trying to figure out when a user change password, what computer the password change request came from. I can't see this information neither on Domain Controller, not in the computer. Thank you for any help
|
|
|
|
|
Expert
Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 106,
Visits: 0
|
|
- Get the Caller Logon ID from this event.
- look backwards in same log for event 528 or 540 with the same logon ID
- look in that 528 or 540 event for Workstation Name and/or Source Network Address
|
|
|
|
|
Forum Newbie
Group: Forum Members
Last Login: 9/14/2009 11:21:07 AM
Posts: 2,
Visits: 0
|
|
| Thank you for your prompt reply. Another thing if I may. When user logs in to his computer, lots of Logon Type 3 are generated in the DC. Is there a way to know their login one, or unlock PC one. I know in computers it generates Logon type 2, or 7,but in DC I can't figure out which one is used to login, and which one to access resources. Thank you very much for your support.
|
|
|
|
|
Expert
Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 106,
Visits: 0
|
|
| No, those 540 logon type 3 events are associated with the computer reading group policy and other AD stuff. Only place to get what you are looking for is where you already found it - on the workstation.
|
|
|
|