-----Original Message----- From: Jeremy Thomas [mailto:jeremy.thomas@xxxxxxxxx] Sent: Monday, June 14, 2004 3:52 AM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: FW: Re: Determining which user a TS 2003 per-device CA L li cense is issued to First thoughts were: http://is-it-true.org/nt/atips/atips155.shtml <http://is-it-true.org/nt/atips/atips155.shtml> Logon type 2 is a console logon, so no I would not expect to see an IP address, as the "network source address" would be the local machine. However, I didn't find a description of the Logon type 10 that I got. This article throws some light on that: http://www.winnetmag.com/WindowsSecurity/Article/ArticleID/38109/38109.html <http://www.winnetmag.com/WindowsSecurity/Article/ArticleID/38109/38109.html > In Windows Server 2003 and Windows XP, Microsoft added a new logon type specifically for Terminal Services logons. When users log on through Terminal Services, event ID 528 shows Logon Type 10 instead of Logon Type 2. You can identify Terminal Services logons that failed because of a bad username or password by looking for event ID 529 with Logon Type 10. It would imply that you're either using W2000, where you don't get the client IP address information, MJL: You mean Win2000 for the TS? Nope; it's a Win2K3 server. And the user is not accessing from a Win2K machine; it's XP Home. or that you've managed to pick a console logon event. MJL: Nope; this person is not on-site, and there isn't access to the console (or shouldn't be). This was not a console login. Here's a definite console login (I know, because it was me): Successful Logon: User Name: Administrator Domain: MIKE-DOMAIN Logon ID: (0x0,0xAD187) Logon Type: 2 Logon Process: NWGINA Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Workstation Name: MIKE-SERVER Logon GUID: - Caller User Name: MIKE-SERVER $ Caller Domain: MIKE-DOMAIN Caller Logon ID: (0x0,0x3E7) Caller Process ID: 560 Transited Services: - Source Network Address: - Source Port: - For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp <http://go.microsoft.com/fwlink/events.asp> . And here's another definitely non-console login (I know, because I was still in the server room, in front of the console, at the time): Successful Logon: User Name: USER-NAME Domain: MIKE-DOMAIN Logon ID: (0x0,0x10EBC4) Logon Type: 2 Logon Process: NWGINA Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Workstation Name: MIKE-SERVER Logon GUID: - Caller User Name: MIKE-SERVER$ Caller Domain: MIKE-DOMAIN Caller Logon ID: (0x0,0x3E7) Caller Process ID: 3708 Transited Services: - Source Network Address: - Source Port: - (BTW - how did you post the date & time on your log entries? I.e., --------------Start event--------------- Event Type: Success Audit Event Source: Security Event Category: Logon/Logoff Event ID: 528 Date: 11/06/2004 Time: 16:29:26 User: MY_DOMAIN\My_User Computer: MY_TS I can't seem to select and copy that part of the log entry; I'm reading the log via Remote Admin login) There's also information in that artice about other events that happen at the same time as the logon event, so you might be able to gather the information by trying to cross match events that occur at logon. Personally, I'd tend to go with Steve's suggestion of using the %USERNAME% and %CLIENTNAME% variqbles in a logon script, MJL: Yes, but the fact that I don't see any client IP connection information seems more serious, don't you think? I think I may have a bigger problem than just identifying licenses and machine names. Why are my log entries so much different than yours? All my logins seem to be type 2, whether they are console logins or not.