You are currently offline, waiting for your internet to reconnect

Your browser is out-of-date

You need to update your browser to use the site.

Update to the latest version of Internet Explorer

SMS: How to Determine Which Logon Server Was Used During Network Logon Operation

This article was previously published under Q199472
This article describes the methods which are available in Windows NT to identify which workstation was used by a user to log on to the network. You can use one or more of the following methods:
  • Method 1: Using Windows NT Auditing. -or-

  • Method 2: Using Microsoft Network Monitor (or other network tracing utility) -or-

  • Method 3: Using Windows NT Diagnostics (NT 4.0)

Method 1: Using Windows NT Auditing

To use Windows NT auditing to determine which workstation a user accessed to logon to the domain, follow these steps:
  1. Start User Manager for Domains.
  2. Click Audit from the Policies menu.
  3. Click to enable Success for the Logon and Logoff category. Optionally, you may also check the Failure box.
After the above procedure has been implemented, Windows NT will create anevent log for each successful logon attempt. The log will appear like thefollowing example:
   Event Detail   Date:     06/04/98  Event ID:  528   Time:     10:06:43 AM  Source:  Security   User:     msolanki  Type:  Success Audit   Computer: SMSCENT  Category: Logon/Logoff   Description:   Logon/Logoff: Successful   Logon User Name: msolanki   Domain: SATHYA   Logon ID: (0x0, 0x2D0D0)   Logon Type: 3   Logon Process: User32 Authentication Pkg:   MICROSOFT_AUTHENTICATION_PACKAGE_V1_0   Workstation Name: \\JAMES				

Method 2: Using Network Monitor

To use Network Monitor to determine which workstation a user accessed to log on to the domain, follow these steps:
  1. Capture all incoming traffic to the domain controller(s). In order to reduce the size of the captured data, follow these steps:
    1. If possible, include only the primary domain controller or backup domain controller that is most likely to validate the user.
    2. Set a capture filter, including only the server message block (SMB) protocol.
    3. Configure a large enough memory buffer through the Buffer Settings option on the Capture menu.
  2. After the data has been captured, set a display filter to only include:
       Protocol: SMB   Property: Account Name   Relation: Exists					
This will display all the initial SMB session setup containing the username and the source media access control address.

For example:
Src Mac Addr: Dst Mac Addr: DescriptionWKS1          SUNKING       C session setup & X, Username = MariaH, and Ctree connect & X, Share = \\SUNKING\IPC$WKS2          SUNKING       C session setup & X, Username = JoeSmith, and Ctree connect & X, Share = \\SUNKING\IPC$WKS3          SUNKING       C session setup & X, Username = Administrator,and C tree connect & X, Share = \\SUNKING\IPC$				
In the example above, WKS1 is the computer where the user is logging onfrom, SUNKING is the domain controller authenticating the request, and theDescription contains the Windows NT domain account being used.

NOTE: The Src Mac Addr may also been shown as a media access control or IPaddress if the NetBIOS name could not be resolved or the entry is not inthe Network Monitor address database.

Method 3: Using Windows NT Diagnostics

To use Windows NT diagnostics to determine which workstation a user accessed to log on to the domain, follow these steps:
  1. At the client workstation, click Start, type Winmsd in the Open box, and then click OK.
  2. On the Network tab, click the General button.

    You will see information similar to the following:
Identifier            ValueYour Access level     Admin; LocalWorkgroup or Domain   SATHYANetwork version       4.0Lan Root              SATHYALogged On Users         1Current User (1)      MSolankiLogged Domain         SATHYALogon Server          SMSCENT				

Article ID: 199472 - Last Review: 10/27/2006 14:59:02 - Revision: 2.4

  • Microsoft Systems Management Server 1.2 Standard Edition
  • Microsoft Systems Management Server 2.0 Standard Edition
  • kbaudit kbclient kbinfo kbnettrace kbnetwork kbremoteprog kbsecurity kbserver kbsmsutil KB199472
://"> var varCustomerTracking = 1; var Route = "76500"; var Ctrl = ""; document.write(" d')[0].appendChild(m);" onload="var m=document.createElement('meta');'ms.dqp0';m.content='false';document.getElementsByTagName('head')[0].appendChild(m);" src=""> ?DI=4050&did=1&t=">