[THIN] Re: FW: Re: Determining which user a TS 2003 per-device CAL li cense is issued to

• From: Jeremy Thomas <jeremy.thomas@xxxxxxxxx>
• To: thin@xxxxxxxxxxxxx
• Date: Mon, 14 Jun 2004 09:51:49 +0200

First thoughts were:
http://is-it-true.org/nt/atips/atips155.shtml
<http://is-it-true.org/nt/atips/atips155.shtml> 
 
Logon type 2 is a console logon, so no I would not expect to see an IP
address, as the "network source address" would be the local machine.
However, I didn't find a description of the Logon type 10 that I got.
 
This article throws some light on that:
http://www.winnetmag.com/WindowsSecurity/Article/ArticleID/38109/38109.html
<http://www.winnetmag.com/WindowsSecurity/Article/ArticleID/38109/38109.html
> 
In Windows Server 2003 and Windows XP, Microsoft added a new logon type
specifically for Terminal Services logons. When users log on through
Terminal Services, event ID 528 shows Logon Type 10 instead of Logon Type 2.
You can identify Terminal Services logons that failed because of a bad
username or password by looking for event ID 529 with Logon Type 10. 

It would imply that you're either using W2000, where you don't get the
client IP address information, or that you've managed to pick a console
logon event. There's also information in that artice about other events that
happen at the same time as the logon event, so you might be able to gather
the information by trying to cross match events that occur at logon.
 
Personally, I'd tend to go with Steve's suggestion of using the %USERNAME%
and %CLIENTNAME% variqbles in a logon script,

Regards, 

Jeremy Thomas 
0472.28.25.47 
(+32.472.28.25.47) 

 

  _____  

From: Leone, Michael [mailto:MLeone@xxxxxxxxxxxxxxxxxxxx] 
Sent: 11 June 2004 18:50
To: Thin Client list (thin@xxxxxxxxxxxxx)
Subject: [THIN] FW: Re: Determining which user a TS 2003 per-device CAL li
cense is issued to


Here's a snippet from my TS log, for server MIKE-SERVER:

Successful Logon:
User Name: EMB
Domain: MYDOMAIN
Logon ID: (0x0,0x 12345678 )
Logon Type: 2
Logon Process: NWGINA 
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: MIKE-SERVER
Logon GUID: -
Caller User Name: MIKE-SERVER$
Caller Domain: MYDOMAIN
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 4356
Transited Services: -
Source Network Address: -
Source Port: -
 
Nowhere does this show me that EMB logged in from her client named
MAGGIE-MAY. That client is an XP Home Edition machine, connecting using the
built-in RDP client software.
 
(I happen to know this user, and her machine name. If I didn't, I would have
no idea that the license assigned to MAGGIE-MAY is really for Betty)
 
Why am I not seeing the level of detail that you are? Is there some auditing
I have not turned on? I occasionally see log entries like:
 
 
Session reconnected to winstation:
User Name: MSB
Domain: MYDOMAIN
Logon ID: (0x0,0x 12345678 )
Session Name: RDP-Tcp#849
Client Name: THAT-GUY
Client Address: xx.xxx.xxx.xxx
 
So I can see that MSB re-connected to a session, and did the reconnecting
from a machine named THAT-GUY at IP xx.xxx.xxx. SO if I see a license to
THAT-GUY, I know it's for Mark.
 
Yet I don't see any initial login, that shows me that same info.
 
We're definitely getting closer to that beer ... :-)

--
------------------------------------------------------------
Michael Leone, Systems Administrator
Philadelphia Contributionship
210 S. 4th Street, Philadelphia, PA  19106
<mailto:mleone@xxxxxxxxxxxxxxxxxxxx <mailto:mleone@xxxxxxxxxxxxxxxxxxxx> >
V: 215-627-1752 x1282
F: 215-627-5354
  

-----Original Message-----
From: Jeremy Thomas [mailto:jeremy.thomas@xxxxxxxxx] 
Sent: Friday, June 11, 2004 10:42 AM
To: Leone, Michael
Subject: RE: [THIN] Re: Determining which user a TS 2003 per-device CAL li
cense is issued to


Michael,
 
Here's copy paste from the event log of my terminal server, MY_TS:
 
--------------Start event---------------
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff 
Event ID: 528
Date:  11/06/2004
Time:  16:29:26
User:  MY_DOMAIN\My_User
Computer: MY_TS
Description:
Successful Logon:
  User Name: My_User
  Domain:  MY_DOMAIN
  Logon ID:  (0x0,0x12345678)
  Logon Type: 10
  Logon Process: User32  
  Authentication Package: Negotiate
  Workstation Name: MY_TS
  Logon GUID: {12345678-0123-0123-0123-0123456789ab}
  Caller User Name: MY_TS$
  Caller Domain: MY_DOMAIN
  Caller Logon ID: (0x0,0x123)
  Caller Process ID: 3420
  Transited Services: -
  Source Network Address: 10.0.0.2
  Source Port: 2122
 

For more information, see Help and Support Center at
<http://go.microsoft.com/fwlink/events.asp>
http://go.microsoft.com/fwlink/events.asp.

--------------End event---------------
 
MY_DOMAIN is the domain I log on to.
My_User is the username I used.
MY_TS is the terminal server I logged on to.
So far, I think that's what you got as well.
The key thing I think you might have missed (you need to scroll down the
event to see it) is the line before last.
"Source Network Address:" corresponds to the IP address of my workstation.
If you can resolve that IP address to "MAIN", then you have a trace of which
user logged on from MAIN and when.
 


Please let me know if I've earned myself a virtual beer.

 
 

Regards, 

Jeremy Thomas 

Other related posts:

• » [THIN] FW: Re: Determining which user a TS 2003 per-device CAL li cense is issued to
• » [THIN] Re: FW: Re: Determining which user a TS 2003 per-device CAL li cense is issued to

1. Home
2. thin
3. Archive
4. 06-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---