We're migrating our Windows NT servers to Windows 2000 and our workstations to Windows XP. When we ran NT, we could check the Security log and use the Workstation Name field in event ID 528 to determine from which computer a user logged on. I realize that Win2K logs event ID 540 instead of event ID 528 for network logons. However, in event ID 540, the Workstation Name field is always blank, as you mention in "Tracking Logon and Logoff Activity in Win2K," February 2001, InstantDoc ID 16430. How can I determine from which computer a user logged on?
If you enable auditing for the Audit account logon events category on Win2K domain controllers (DCs), you'll see event ID 672. In the description of that event, you'll find a field labeled Client Address, which is the current IP address of the workstation from which the user logged on. If you're using DHCP, you'll need to track down the actual computer that leases that address through your DHCP server log.