[THIN] Re: FW: Re: Determining which user a TS 2003 per-device CA L li cense is issued to
- From: "Leone, Michael" <MLeone@xxxxxxxxxxxxxxxxxxxx>
- To: "'thin@xxxxxxxxxxxxx'" <thin@xxxxxxxxxxxxx>
- Date: Mon, 14 Jun 2004 09:13:19 -0400
-----Original Message-----
From: Jeremy Thomas [mailto:jeremy.thomas@xxxxxxxxx]
Sent: Monday, June 14, 2004 3:52 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: FW: Re: Determining which user a TS 2003 per-device CA L
li cense is issued to
First thoughts were:
http://is-it-true.org/nt/atips/atips155.shtml
<http://is-it-true.org/nt/atips/atips155.shtml>
Logon type 2 is a console logon, so no I would not expect to see an IP
address, as the "network source address" would be the local machine.
However, I didn't find a description of the Logon type 10 that I got.
This article throws some light on that:
http://www.winnetmag.com/WindowsSecurity/Article/ArticleID/38109/38109.html
<http://www.winnetmag.com/WindowsSecurity/Article/ArticleID/38109/38109.html
>
In Windows Server 2003 and Windows XP, Microsoft added a new logon type
specifically for Terminal Services logons. When users log on through
Terminal Services, event ID 528 shows Logon Type 10 instead of Logon Type 2.
You can identify Terminal Services logons that failed because of a bad
username or password by looking for event ID 529 with Logon Type 10.
It would imply that you're either using W2000, where you don't get the
client IP address information,
MJL: You mean Win2000 for the TS? Nope; it's a Win2K3 server. And the user
is not accessing from a Win2K machine; it's XP Home.
or that you've managed to pick a console logon event.
MJL: Nope; this person is not on-site, and there isn't access to the console
(or shouldn't be). This was not a console login.
Here's a definite console login (I know, because it was me):
Successful Logon:
User Name: Administrator
Domain: MIKE-DOMAIN
Logon ID: (0x0,0xAD187)
Logon Type: 2
Logon Process: NWGINA
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: MIKE-SERVER
Logon GUID: -
Caller User Name: MIKE-SERVER $
Caller Domain: MIKE-DOMAIN
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 560
Transited Services: -
Source Network Address: -
Source Port: -
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp
<http://go.microsoft.com/fwlink/events.asp> .
And here's another definitely non-console login (I know, because I was still
in the server room, in front of the console, at the time):
Successful Logon:
User Name: USER-NAME
Domain: MIKE-DOMAIN
Logon ID: (0x0,0x10EBC4)
Logon Type: 2
Logon Process: NWGINA
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: MIKE-SERVER
Logon GUID: -
Caller User Name: MIKE-SERVER$
Caller Domain: MIKE-DOMAIN
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 3708
Transited Services: -
Source Network Address: -
Source Port: -
(BTW - how did you post the date & time on your log entries? I.e.,
--------------Start event---------------
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 528
Date: 11/06/2004
Time: 16:29:26
User: MY_DOMAIN\My_User
Computer: MY_TS
I can't seem to select and copy that part of the log entry; I'm reading the
log via Remote Admin login)
There's also information in that artice about other events that happen at
the same time as the logon event, so you might be able to gather the
information by trying to cross match events that occur at logon.
Personally, I'd tend to go with Steve's suggestion of using the %USERNAME%
and %CLIENTNAME% variqbles in a logon script,
MJL: Yes, but the fact that I don't see any client IP connection information
seems more serious, don't you think? I think I may have a bigger problem
than just identifying licenses and machine names. Why are my log entries so
much different than yours? All my logins seem to be type 2, whether they are
console logins or not.
Other related posts:
- » [THIN] Re: FW: Re: Determining which user a TS 2003 per-device CA L li cense is issued to
