Security Basics mailing list archives

RE: Windows 2000 user login

From: "Robinson, Sonja" <SRobinson () HIPUSA com>
Date: Thu, 27 Mar 2003 15:07:49 -0500

 Dump your PDC logs using DumpEVT or similar.  Search the log files for the
users user name or by the MS Security Event Code.  This will give you all of
the computer names that his account is trying to be accessed from.  So in
other words you will locate HIS true machine, plus any machine that may have
a script under his account or if someone is trying to brute force his
account, etc.  Your password policy of 30 days is fine and is not the cause.
Most likely it is user disfunction or their is a script/batch file/process
trying to use the account and he forgot about it- which still applies to
user disfunction.

-----Original Message-----
From: Wright, Bill
To: security-basics () securityfocus com
Sent: 3/26/2003 1:16 PM
Subject: Windows 2000 user login

I have never posted to this board, so hopefully I'm following the right
procedures.  My issue is that a user's account keeps getting locked out
due to an aggressive password policy (30 days) and he claims that he
isn't logged into multiple machines nor is he fat fingering his
password.  Is anybody aware of a product to find out where or how many
Windows 2000 servers or workstations a user is logged into?  My thinking
is that he's logged into multiple machines under an old password that
keeps locking him out.

Thanks,
Bill 



-------------------------------------------------------------------
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.surfcontrol.com/go/zsfsbl1


**********************************************************************
This message is a PRIVILEGED AND CONFIDENTIAL communication, and is intended only for the individual(s) named herein or 
others specifically authorized to receive the communication. If you are not the intended recipient, you are hereby 
notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have 
received this communication in error, please notify the sender of the error immediately, do not read or use the 
communication in any manner, destroy all copies, and delete it from your system if the communication was sent via 
email. 




**********************************************************************


-------------------------------------------------------------------
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.surfcontrol.com/go/zsfsbl1

Current thread:

Windows 2000 user login Wright, Bill (Mar 27)
- RE: Windows 2000 user login John Tolmachoff (Mar 28)
- Re: Windows 2000 user login Su Wadlow (Mar 28)
  - RE: Windows 2000 user login dave (Mar 29)
    - RE: Windows 2000 user login dave (Mar 31)
    - RE: Windows 2000 user login dave (Mar 31)
- Re: Windows 2000 user login Chuck Swiger (Mar 28)
- <Possible follow-ups>
- RE: Windows 2000 user login Wright, Bill (Mar 28)
- Re: Windows 2000 user login Scott Cadwell (Mar 28)
- RE: Windows 2000 user login Robinson, Sonja (Mar 28)
- Re: Windows 2000 user login nightowlcat (Mar 28)
- Re: Windows 2000 user login H Carvey (Mar 28)
- RE: Windows 2000 user login Moeckel, Sharon (Mar 29)
- RE: Windows 2000 user login Andre Luis Braz Henrique (Mar 29)