F
Fletch Bowling
Hello,
I am trying to audit computer use in one of our small libraries. By
reading the net I found out I can enable logging via local policy
which I have done. Right now I am just trying to count the number of
log on's (to justify funding). To make a long story short I have been
piecing it all together via the ms vbscript (eventquery) and sending
that to excell . Well I soon learned that event 528 is more than just
user login's ,,its also loggin something called AUTHORITY\NETWORK
SERVICE. No problem, I figured out how to filter that out with
eventquery. I have been letting the logging run for a few days at a
hosipital on one machine as a test basis. I check the logs today and
look what I got:
Notice the user in part is listed as
S-1-5-21-1840077180-1519677995-3089533590-1006
But further down it's listed as Patron (what it should be)
Any ideas what this could be? It's only shown up a couple of times but
i need to know what it is.
Thanks, regards,
Fletch
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 528
Date: 11/16/2004
Time: 1:03:55 PM
User: S-1-5-21-1840077180-1519677995-3089533590-1006
Computer: PCK1
Description:
Successful Logon:
User Name: Patron
Domain: PCK1
Logon ID: (0x0,0x91729EF)
Logon Type: 2
Logon Process: NWGINA
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: PCK1
Logon GUID: {00000000-0000-0000-0000-000000000000}
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
I am trying to audit computer use in one of our small libraries. By
reading the net I found out I can enable logging via local policy
which I have done. Right now I am just trying to count the number of
log on's (to justify funding). To make a long story short I have been
piecing it all together via the ms vbscript (eventquery) and sending
that to excell . Well I soon learned that event 528 is more than just
user login's ,,its also loggin something called AUTHORITY\NETWORK
SERVICE. No problem, I figured out how to filter that out with
eventquery. I have been letting the logging run for a few days at a
hosipital on one machine as a test basis. I check the logs today and
look what I got:
Notice the user in part is listed as
S-1-5-21-1840077180-1519677995-3089533590-1006
But further down it's listed as Patron (what it should be)
Any ideas what this could be? It's only shown up a couple of times but
i need to know what it is.
Thanks, regards,
Fletch
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 528
Date: 11/16/2004
Time: 1:03:55 PM
User: S-1-5-21-1840077180-1519677995-3089533590-1006
Computer: PCK1
Description:
Successful Logon:
User Name: Patron
Domain: PCK1
Logon ID: (0x0,0x91729EF)
Logon Type: 2
Logon Process: NWGINA
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: PCK1
Logon GUID: {00000000-0000-0000-0000-000000000000}
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.