Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > focus-ih > 03 > 070016.html (Request Expert securityfocus.com Support)

RE: Tracking down a user in a large AD network

From: Robinson, Sonja <SRobinson(at)HIPUSA.com>
Date: Fri Jul 25 2003 - 09:00:20 EDT


Dump your event logs into a text readable format (DumpEVT works well) and search for "Security,528" using Text Pad. At the end of the transaction line will be the workstation number. OR since you know the User ID. Search on the USER ID and avoid extracting only logon info. This way you can find out much more of what the user did. It is easy to save your results into xls format for easy searching.

Sonja Robinson, CISA
Network Security Analyst
HIP Health Plans
Office: 212-806-4125
Pager: 8884238615

-----Original Message-----
From: simonis [mailto:simonis@myself.com] Sent: Thursday, July 24, 2003 4:42 PM
To: focus-ih@securityfocus.com
Cc: focus-ms@securityfocus.com
Subject: Tracking down a user in a large AD network

All,
First, forgive the x-post. I'm not sure, based on list volume, that anyone else is subscribed to the IH list =). I have quite the dilemma on my hands. I work on a pretty large AD domain with nearly 100 domain controllers. We recently had an OU with about 5000 users deleted from the directory. I know the name of the user, but.... it is a shared account. (I know, but with over 100,000 users, these things slip by)

What I need to do is track back to the workstation that was used for the login, and I haven't had much luck. I'm focusing on event 673, but I'm not sure this is the right angle. Any ideas??

TIA,
-Ds


CONFIDENTIALITY NOTICE: This e-mail transmission, including any attachments to it, may contain confidential information or protected health information subject to privacy regulations such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This transmission is intended only for the use of the recipient(s) named above. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in this transmission is STRICTLY PROHIBITED. If you have received this transmission in error, please immediately notify me by reply e-mail and destroy the original transmission in its entirety without saving it in any manner.
Received on Fri Jul 25 11:46:54 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:18 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library