How can i retrieve the domain of a user? Expand / Collapse
Author
Message
Posted 3/17/2010 5:26:18 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 3/18/2010 12:31:13 PM
Posts: 3, Visits: 2
Good Morning,

I noticed that the Event ID 4776 does not contain -in any field- the domain to which a user belongs to, neither does its object sid.

The only information that I can retrive is its username. Anyway, if there are two persons with the same username in two different domains, authorized by the same domain controller, (i.e. register the same ID Event as above indicated), how can I determine which one is the correct one?  

Thank you and good work!

Alessandro Rimoldi (KBE Srl- Milano, Italy)

Post #339
Posted 3/17/2010 6:40:36 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
In short, the context of this event is the accounts on the local computer.  Therefore there is no need for the domain - it is always the domain of the domain controller logging the event.  As pointed out in the encyclopedia entry for this event, this event is logged not just on DCs but all other computers to - when someone attempts to logon with a local account. 
Post #340
Posted 4/21/2010 4:31:46 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 3/9/2010 4:15:24 PM
Posts: 3, Visits: 0
So, if we are doing this programmatically (reporting on 4776), we need to have available to us at run-time a list of domain controllers for the logging computer's domain, or be able to generate that list on the fly ... If we do not known whether the logging computer is a domain controller, we do not know whether this is a domain account authentication attempt, or a local account authentication (technically, all of these are 'local' account authentication attempts, it's just that the domain controller's local SAM is the domain SAM) ...
Post #364
Posted 4/28/2010 9:21:56 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
All true except that Win2000+ DCs don't have a local SAM - just AD
Post #366
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 8:27am