Method 1: Using Windows NT Auditing
To use Windows NT auditing to determine which workstation a user accessed to logon to the domain, follow these steps:
- Start User Manager for Domains.
- Click Audit from the Policies menu.
- Click to enable Success for the Logon and Logoff category. Optionally, you may also check the Failure box.
After the above procedure has been implemented, Windows NT will create anevent log for each successful logon attempt. The log will appear like thefollowing example:
Event Detail Date: 06/04/98 Event ID: 528 Time: 10:06:43 AM Source: Security User: msolanki Type: Success Audit Computer: SMSCENT Category: Logon/Logoff Description: Logon/Logoff: Successful Logon User Name: msolanki Domain: SATHYA Logon ID: (0x0, 0x2D0D0) Logon Type: 3 Logon Process: User32 Authentication Pkg: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Workstation Name: \\JAMES
Method 2: Using Network Monitor
To use Network Monitor to determine which workstation a user accessed to log on to the domain, follow these steps:
- Capture all incoming traffic to the domain controller(s). In order to reduce the size of the captured data, follow these steps:
- If possible, include only the primary domain controller or backup domain controller that is most likely to validate the user.
- Set a capture filter, including only the server message block (SMB) protocol.
- Configure a large enough memory buffer through the Buffer Settings option on the Capture menu.
- After the data has been captured, set a display filter to only include:
Protocol: SMB Property: Account Name Relation: Exists
This will display all the initial SMB session setup containing the username and the source media access control address.
Src Mac Addr: Dst Mac Addr: DescriptionWKS1 SUNKING C session setup & X, Username = MariaH, and Ctree connect & X, Share = \\SUNKING\IPC$WKS2 SUNKING C session setup & X, Username = JoeSmith, and Ctree connect & X, Share = \\SUNKING\IPC$WKS3 SUNKING C session setup & X, Username = Administrator,and C tree connect & X, Share = \\SUNKING\IPC$
In the example above, WKS1 is the computer where the user is logging onfrom, SUNKING is the domain controller authenticating the request, and theDescription contains the Windows NT domain account being used.
NOTE: The Src Mac Addr may also been shown as a media access control or IPaddress if the NetBIOS name could not be resolved or the entry is not inthe Network Monitor address database.
Method 3: Using Windows NT Diagnostics
To use Windows NT diagnostics to determine which workstation a user accessed to log on to the domain, follow these steps:
- At the client workstation, click Start, type Winmsd in the Open box, and then click OK.
- On the Network tab, click the General button.
You will see information similar to the following:
Identifier ValueYour Access level Admin; LocalWorkgroup or Domain SATHYANetwork version 4.0Lan Root SATHYALogged On Users 1Current User (1) MSolankiLogged Domain SATHYALogon Server SMSCENT