Re: Can anyone explain this event log?
From: Fletch Bowling (fletchb_at_gmail.com)
Date: 11/18/04
- Next message: Kathea Banshou: "Re: Seeing .pst files in Windows Explorer"
- Previous message: Jeff Cochran: "Re: webfolders permissions and IIs"
- In reply to: Dave Patrick: "Re: Can anyone explain this event log?"
- Next in thread: Dave Patrick: "Re: Can anyone explain this event log?"
- Reply: Dave Patrick: "Re: Can anyone explain this event log?"
- Messages sorted by: [ date ] [ thread ]
Date: 18 Nov 2004 14:32:48 -0800
Dave,
Ok that got me close but it's not showing up in that location. I did
find it here:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group
Policy\S-1-5-21-1840077180-1519677995-3089533590-1006
It has something to do with group policy but I am not sure what.
Any ideas on how to find out what this is? If it's not an actually
user, I am going to have to filter it out.
Thanks again,
Fletch
"Dave Patrick" <mail@Nospam.DSPatrick.com> wrote in message news:<O2MzLiPzEHA.2624@TK2MSFTNGP11.phx.gbl>...
> You'll find those SID's listed at;
> HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
>
> --
> Regards,
>
> Dave Patrick ....Please no email replies - reply in newsgroup.
> Microsoft Certified Professional
> Microsoft MVP [Windows]
> http://www.microsoft.com/protect
>
> "Fletch Bowling" wrote:
> | Hello,
> |
> | I am trying to audit computer use in one of our small libraries. By
> | reading the net I found out I can enable logging via local policy
> | which I have done. Right now I am just trying to count the number of
> | log on's (to justify funding). To make a long story short I have been
> | piecing it all together via the ms vbscript (eventquery) and sending
> | that to excell . Well I soon learned that event 528 is more than just
> | user login's ,,its also loggin something called AUTHORITY\NETWORK
> | SERVICE. No problem, I figured out how to filter that out with
> | eventquery. I have been letting the logging run for a few days at a
> | hosipital on one machine as a test basis. I check the logs today and
> | look what I got:
> |
> | Notice the user in part is listed as
> | S-1-5-21-1840077180-1519677995-3089533590-1006
> |
> | But further down it's listed as Patron (what it should be)
> |
> | Any ideas what this could be? It's only shown up a couple of times but
> | i need to know what it is.
> |
> | Thanks, regards,
> | Fletch
> |
> |
> |
> |
> | Event Type: Success Audit
> | Event Source: Security
> | Event Category: Logon/Logoff
> | Event ID: 528
> | Date: 11/16/2004
> | Time: 1:03:55 PM
> | User: S-1-5-21-1840077180-1519677995-3089533590-1006
> | Computer: PCK1
> | Description:
> | Successful Logon:
> | User Name: Patron
> | Domain: PCK1
> | Logon ID: (0x0,0x91729EF)
> | Logon Type: 2
> | Logon Process: NWGINA
> | Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> | Workstation Name: PCK1
> | Logon GUID: {00000000-0000-0000-0000-000000000000}
> |
> | For more information, see Help and Support Center at
> | http://go.microsoft.com/fwlink/events.asp.
- Next message: Kathea Banshou: "Re: Seeing .pst files in Windows Explorer"
- Previous message: Jeff Cochran: "Re: webfolders permissions and IIs"
- In reply to: Dave Patrick: "Re: Can anyone explain this event log?"
- Next in thread: Dave Patrick: "Re: Can anyone explain this event log?"
- Reply: Dave Patrick: "Re: Can anyone explain this event log?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
