"If you find some NTLM logons, you can look at the event's Workstation Name field to determine the client computer's NetBIOS name. (This field is blank when Windows 2000 uses Kerberos.)"

My question is, what if you want to be able to see what workstation a user logs on at on the network, when they authenticate via Kerberos? (a very important piece of information if a system gets hacked or damaged by a successfully authenticated user SOMEWHERE on your network)

How can we restore the functionality in 2000 of seeing the source workstation name of succesful and failed logon/logoff events that we are so used to in NT4!?

Our auditors required this functionality.

I think it is ironic how Microsoft says they made it easier to track security info without looking at event logs all over your network by implementing "Account Logon Events", but then BREAK the source workstation information of Logon/Logoff events.

Jason Bennett 1/10/2003 3:57:20 PM

Auditing...it's for security and accountibility (obviously NOT for spelling) NOT to track an employees time-on-the-job. The add-on that does do this is call a Time Clock.

...cheap shot, I know. But I've often heard clients, once they've gotten an overview (regarding GPOs, Auditing , or some other feature) try to wrangle one element/feature into a complete solution for which a NOS isn't intended. Saving money is good, no doubt. But it is always wise to use "[...the right tool for the job.]"

Matt Brainerd 12/5/2002 6:51:55 AM

An interesting article. What about something that really works though? Looking to track logon and logoff activity and Win2K just doesnt cut it. I need something that will generate a report when a user comes in in the morning and logs off at night. All of these audit features track way to much background authentication and the log itself gets so big that we end up losing info. This is going to be huge for someone who can make this foolproof for hr departments.

tom baumgratz 8/8/2002 12:58:47 PM