First thoughts were: http://is-it-true.org/nt/atips/atips155.shtml <http://is-it-true.org/nt/atips/atips155.shtml> Logon type 2 is a console logon, so no I would not expect to see an IP address, as the "network source address" would be the local machine. However, I didn't find a description of the Logon type 10 that I got. This article throws some light on that: http://www.winnetmag.com/WindowsSecurity/Article/ArticleID/38109/38109.html <http://www.winnetmag.com/WindowsSecurity/Article/ArticleID/38109/38109.html > In Windows Server 2003 and Windows XP, Microsoft added a new logon type specifically for Terminal Services logons. When users log on through Terminal Services, event ID 528 shows Logon Type 10 instead of Logon Type 2. You can identify Terminal Services logons that failed because of a bad username or password by looking for event ID 529 with Logon Type 10. It would imply that you're either using W2000, where you don't get the client IP address information, or that you've managed to pick a console logon event. There's also information in that artice about other events that happen at the same time as the logon event, so you might be able to gather the information by trying to cross match events that occur at logon. Personally, I'd tend to go with Steve's suggestion of using the %USERNAME% and %CLIENTNAME% variqbles in a logon script, Regards, Jeremy Thomas 0472.28.25.47 (+32.472.28.25.47) _____ From: Leone, Michael [mailto:MLeone@xxxxxxxxxxxxxxxxxxxx] Sent: 11 June 2004 18:50 To: Thin Client list (thin@xxxxxxxxxxxxx) Subject: [THIN] FW: Re: Determining which user a TS 2003 per-device CAL li cense is issued to Here's a snippet from my TS log, for server MIKE-SERVER: Successful Logon: User Name: EMB Domain: MYDOMAIN Logon ID: (0x0,0x 12345678 ) Logon Type: 2 Logon Process: NWGINA Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Workstation Name: MIKE-SERVER Logon GUID: - Caller User Name: MIKE-SERVER$ Caller Domain: MYDOMAIN Caller Logon ID: (0x0,0x3E7) Caller Process ID: 4356 Transited Services: - Source Network Address: - Source Port: - Nowhere does this show me that EMB logged in from her client named MAGGIE-MAY. That client is an XP Home Edition machine, connecting using the built-in RDP client software. (I happen to know this user, and her machine name. If I didn't, I would have no idea that the license assigned to MAGGIE-MAY is really for Betty) Why am I not seeing the level of detail that you are? Is there some auditing I have not turned on? I occasionally see log entries like: Session reconnected to winstation: User Name: MSB Domain: MYDOMAIN Logon ID: (0x0,0x 12345678 ) Session Name: RDP-Tcp#849 Client Name: THAT-GUY Client Address: xx.xxx.xxx.xxx So I can see that MSB re-connected to a session, and did the reconnecting from a machine named THAT-GUY at IP xx.xxx.xxx. SO if I see a license to THAT-GUY, I know it's for Mark. Yet I don't see any initial login, that shows me that same info. We're definitely getting closer to that beer ... :-) -- ------------------------------------------------------------ Michael Leone, Systems Administrator Philadelphia Contributionship 210 S. 4th Street, Philadelphia, PA 19106 <mailto:mleone@xxxxxxxxxxxxxxxxxxxx <mailto:mleone@xxxxxxxxxxxxxxxxxxxx> > V: 215-627-1752 x1282 F: 215-627-5354 -----Original Message----- From: Jeremy Thomas [mailto:jeremy.thomas@xxxxxxxxx] Sent: Friday, June 11, 2004 10:42 AM To: Leone, Michael Subject: RE: [THIN] Re: Determining which user a TS 2003 per-device CAL li cense is issued to Michael, Here's copy paste from the event log of my terminal server, MY_TS: --------------Start event--------------- Event Type: Success Audit Event Source: Security Event Category: Logon/Logoff Event ID: 528 Date: 11/06/2004 Time: 16:29:26 User: MY_DOMAIN\My_User Computer: MY_TS Description: Successful Logon: User Name: My_User Domain: MY_DOMAIN Logon ID: (0x0,0x12345678) Logon Type: 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name: MY_TS Logon GUID: {12345678-0123-0123-0123-0123456789ab} Caller User Name: MY_TS$ Caller Domain: MY_DOMAIN Caller Logon ID: (0x0,0x123) Caller Process ID: 3420 Transited Services: - Source Network Address: 10.0.0.2 Source Port: 2122 For more information, see Help and Support Center at <http://go.microsoft.com/fwlink/events.asp> http://go.microsoft.com/fwlink/events.asp. --------------End event--------------- MY_DOMAIN is the domain I log on to. My_User is the username I used. MY_TS is the terminal server I logged on to. So far, I think that's what you got as well. The key thing I think you might have missed (you need to scroll down the event to see it) is the line before last. "Source Network Address:" corresponds to the IP address of my workstation. If you can resolve that IP address to "MAIN", then you have a trace of which user logged on from MAIN and when. Please let me know if I've earned myself a virtual beer. Regards, Jeremy Thomas