Parse Security Logs for User Account logon Computer Name
Greetings,
I was recently tasked with creating a list of user accounts and the computer in which they logged onto. Unfortunately, we do not have time to use the logon script method. I believe we can achieve this goal using software similar to LANSweeper
however not all computers will be turned on at a given time and I believe this application gathers it's information from the client PC. One possible solution I see is parsing the data from our domain controllers Security Logs / Successful Logons however
this is proving to be a challenge. Any suggestions?
Thanks,
Chris
Hi Chris,
I was recently tasked with creating a list of user accounts and the computer in which they logged onto.
I believe we can achieve this goal using software.
There is no built-in tool to complete this task.
However, we can configure event log trigger to send email when specific logon events are generated.
Here are some related articles below for you:
Getting event log contents by email on an event log trigger
http://blogs.technet.com/b/jhoward/archive/2010/06/16/getting-event-log-contents-by-email-on-an-event-log-trigger.aspx
Send an email when an event is logged
http://blogs.iis.net/rickbarber/archive/2012/10/26/send-an-email-when-an-event-is-logged.aspx
Best Regards,
Amy
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]
Similar Messages
-
MDT 2012 Windows 7 Deployment Stops At User Account and Computer Name Setup Page
I was given a sysprepped custom Windows 7 WIM image that was set up by a third party that didn't use MDT to create the WIM.
I created a task sequence to deploy it, but it never finishes. After the OS installs and it reboots, it comes up to the white setup page asking for a user name and computer name that looks like this image:
Is there a setting in MDT that can change that behavior?Are you joining the computer to a domain?
It sounds like MDT did not create the unattend.xml file itself (or is there an unattend file already in the image itself?)
MDT needs to be able to autologin with the local admin account
From MDT in your task sequence - OS info - Edit unattend.xml you can check if your unattended file is correct.
Check what's in there for:
- computer name in 4 Specialize area - Windows-Shell-Setup_neutral (it should be empty if you want MDT to handle it).
- Also i think you need to have in the Specialize section, under Microsoft-Windows-Deployment_neutral - Run Synchronous an EnableAdmin insert
This will enable the local admin account
- Also check in phase 7 oobe System in Shell-Setup_neutral
There should be an autologon with a count of 999
Check if you have any Local Accounts there.
Finally read this:
When I am joining clients to a domain, can I avoid creating a local user
account on the computer?
Yes. To do this, create an image unattend file that adds a domain account to the Administrators group. In addition, you must delete the <LocalAccounts> section if it is present in your
unattend file (simply commenting it out will not work). An example file is below. Note that if domain join fails, Windows Deployment Services will not use the unattend file so you will be able to create a local account. For more information about creating
unattend files, see Automating Setup.
<?xml version='1.0' encoding='utf-8'?>
<unattend xmlns="urn:schemas-microsoft-com:unattend" xmlns:ms="urn:schemas-microsoft-com:asm.v3" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State">
<settings pass="oobeSystem">
<component name="Microsoft-Windows-Shell-Setup" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="amd64">
<UserAccounts>
<AdministratorPassword>
<Value>password</Value>
<PlainText>true</PlainText>
</AdministratorPassword>
<DomainAccounts>
<DomainAccountList wcm:action="add">
<DomainAccount wcm:action="add">
<Group>Administrators</Group>
<Name>DomainAdmin</Name>
</DomainAccount>
<Domain>DomainName</Domain>
</DomainAccountList>
</DomainAccounts>
</UserAccounts>
</component>
</settings>
</unattend>
I tried opening the unattend.xml from the MDT workbench, but it errors out saying it cannot be done because the captured image is x86. -
How do I enable "Audit user account logons" using PowerShell, to improve security?
With successful hacking attacks more often employing valid Active Directory user credentials, it is quite helpful when administrators can
easily poll user logon events. Rather than query
every domain computer for its logon events, one can alter the Default Domain Controller Policy GPO to enable "Audit user account logons" (Success and Failure) then merely poll
only the domain controller -- quite efficient. PowerShell helpfully has its Group Policy Module, including the following two cmdlets.
1) Get-GPO "Default Domain Controllers Policy" will retrieve the top-level GPO object, but how do I enable that specific setting?
2) Set-GPRegistryValue might be the right tool, but I cannot find any documentation on the values I need to supply to its parameters (-Name -Key -ValueName -Type -Value) to enable "Audit user account logons" -- both Successes and Failures.
One can manually modify this setting using the Group Policy Management console GUI on the domain controller, but I am trying to upgrade my professional work habits to use stored scripts, rather than unrecorded point & clicks, so that my actions are repeatable
and documented.
Any pointers to documentation or an example would be welcome. I originally posted this question in the TechNet PowerShell Forum this afternoon, but someone recommended I copy it to the TechNet Group Policy Forum.
Jeffrey - New Orleans MCITP Enterprise Administrator, Virtualization AdministratorHi Jeffrey,
>>One can manually modify this setting using the Group Policy Management console GUI on the domain controller, but I am trying to upgrade my professional work habits to use stored scripts, rather than unrecorded point & clicks, so that my actions
are repeatable and documented.
Before going further, although you have expressed that you don't want to use GPMC GUI to configure the audit setting, in fact, it's an easy and comparatively handy method to set the setting. Besides, based on the description, you
want to use PowerShell to do this. However, as far as I know, PowerShell can configure registry-based policy settings and Group Policy Preferences Registry settings, but audit policy security settings are not registry keys.
Nonetheless, if we really don't want to use GPMC console to do this, we can use Auditpol.exe to set the audit setting.
Regarding this point, the following article can be referred to for more information.
Auditpol
https://technet.microsoft.com/en-in/library/cc731451.aspx
Auditpol set
https://technet.microsoft.com/en-in/library/cc755264.aspx
In addition, regarding Group Policy Cmdlets in Windows PowerShell, the following article can be referred to for more information.
Group Policy Cmdlets in Windows PowerShell
https://technet.microsoft.com/en-us/library/ee461027.aspx
TechNet Subscriber Support
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
Best regards,
Frank Shen -
Itunes constantly trying to open in logged in users accounts on Vista
My new computer is constantly trying to open itunes in all logged in users accounts. Once it opens in one of the accounts it will continually make an error noise everytime it tries to open again because it obviously can only open in one account so the other accounts are getting the "unable to load.." message. When the logged in users go back into their account it will have what seems like 50 of the error messages. It is even trying to open in the users account that does not have an itunes account. This is very annoying. Please help! Thanks
If it is a new computer and you haven't installed anything except firefox, maybe there was something preinstalled on it. IIRC some Roxio software can be configured so that it starts up iTunes at system start for example.
One way to investigate this is to do a selective start up using MSConfig. Start off with just the essential items and the iTunes related programs as in this article.
http://support.apple.com/kb/HT2292?viewlocale=en_US
If the problem disappears with the selective startup, start adding stuff back a few items at a time until the problem comes back.
It's a bit of a sledge hammer to crack a nut I am afraid, but it should allow you to identify the problem. -
Duplicate SPN for user accounts
Hi Support,
I get an error on the system log like the below - but is bringing up a user account rather tham for a computer account; for duplicate SPN:
The KDC encountered duplicate names while processing a Kerberos authentication request. The duplicate name is username. (of type -17). This may result in authentication failures or downgrades to NTLM. In order to prevent this from occuring remove the duplicate
entries for username in Active Directory.
Steps in the article KB321044 is for computer accounts and not for user accounts; is there any relevant steps for user accounts having duplicate SPNS ?
Thanks,
ArunI've followed the above steps and does not seem to resolve my issue and the below error on system log repeats:
Log Name: System
Source: Microsoft-Windows-Kerberos-Key-Distribution-Center
Date: 20/08/2014 10:29:49
Event ID: 11
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: xxxxxxx.xxxxxxx.internal
Description:
The KDC encountered duplicate names while processing a Kerberos authentication request. The duplicate name is [email protected] (of type -17). This may result in authentication failures or downgrades to NTLM. In order to prevent this from occuring remove the duplicate entries for [email protected] in Active Directory.
* Setspn -x command on Server does not list any duplicate SPNs
* Followed http://support.microsoft.com/kb/321044 , but output does not give any duplicate SPNs
* Referred this article and SPN shows only one value and no duplicates:
http://blogs.technet.com/b/qzaidi/archive/2010/10/12/quickly-explained-service-principal-name-registration-duplication.aspx
* Tried re-registering SPN for the account sphilpot as per this article - which :
http://msdn.microsoft.com/en-IN/library/ms191153.aspx#Manual
Not sure this will fix the issue.
{ Noticed Disk error on System event log noticed: " The driver detected a controller error on
\Device\Harddisk1\DR1 "
For which asked to remove/format the Expansion S drive and test } -
OS: Windows Server 2008 R2 Enterprise
Domain Level: 2008
Forest Level: 2000
We have Domain Administrators in our domain that reset passwords for user accounts, and the passwords the Administrators set them to are not being enforced follow our default domain password policy. For example, I log on the domain controller, as an administrator
and can reset a password for a user account to be blank.
Is there a reason Domain Administrator password resets for user accounts are not enforced by our default domain password policy? Is there a way to enforce this on password resets by Domain Admins?Do you have fine grant password policy? If not ; by default all the usrs are effected by domain level password policy even domain admins,
Regards~Biswajit
Disclaimer: This posting is provided & with no warranties or guarantees and confers no rights.
MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin
MY BLOG
Domain Controllers inventory-Quest Powershell
Generate Report for Bulk Servers-LastBootUpTime,SerialNumber,InstallDate
Generate a Report for installed Hotfix for Bulk Servers -
Hello
I am installing Java add In in Solution manager 4.0, Central Instance. The process stops in this step:
Mar 12, 2007 10:56:58... Info: User management tool (com.sap.security.tools.UserCheck) called for action "checkCreate"
Mar 12, 2007 10:56:58... Info: Connected to backend system SMD client 200 as user DDIC
Mar 12, 2007 10:57:02... Info: Called for user SLDDSUSERSMD
Mar 12, 2007 10:57:05... Info: Formal password check successful
Mar 12, 2007 10:57:05... Info: Will create user SLDDSUSERSMD
Mar 12, 2007 10:58:52... Info: Created user SLDDSUSERSMD of type A with reference user <none>
Mar 12, 2007 10:58:52... Info: Verification of status for user SLDDSUSERSMD
Mar 12, 2007 10:58:52... Info: User SLDDSUSERSMD exists
Mar 12, 2007 10:58:53... Error: Verification of status for user SLDDSUSERSMD failed. Task not successfully executed. Details following.
Mar 12, 2007 10:58:53... Warning: Error during creation of user SLDDSUSERSMD. Will remove user again to ensure clean exit state
Mar 12, 2007 10:59:44... Error: Exception during execution of the operation
Mar 12, 2007 10:59:44... Error: Exception during execution of the operation
[EXCEPTION]
com.sap.security.tools.UserCheck$UserLogonException: Incorrect password for user account SLDDSUSERSMD (USER_OR_PASSWORD_INCORRECT)
at com.sap.security.tools.UserCheck.checkUser(UserCheck.java:833)
at com.sap.security.tools.UserCheck.createUser(UserCheck.java:1904)
at com.sap.security.tools.UserCheck.main(UserCheck.java:289)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at com.sap.engine.offline.OfflineToolStart.main(OfflineToolStart.java:81)
Mar 12, 2007 10:59:44... Info: Leaving with return code 2
Reserved 1610612736 (0x60000000) bytes before loading DLLs.
INFO 2007-03-12 10:59:45 [synxcfile.cpp:177]
CSyFileImpl::remove()
Removing file C:\Program Files\sapinst_instdir\SOLMAN\LM\AS-JAVA\ADDIN\ORA\CENTRAL\CI\dev_UserCheck.
TRACE [iaxxejsexp.cpp:188]
EJS_Installer::writeTraceToLogBook()
NWException thrown: nw.ume.userError:
Incorrect password for user account SLDDSUSERSMD (USER_OR_PASSWORD_INCORRECT)
ERROR 2007-03-12 10:59:45
CJSlibModule::writeError_impl()
CJS-30196 Incorrect password for user account SLDDSUSERSMD (USER_OR_PASSWORD_INCORRECT)
TRACE [iaxxejsbas.hpp:460]
EJS_Base::dispatchFunctionCall()
JS Callback has thrown unknown exception. Rethrowing.
ERROR 2007-03-12 10:59:45
FCO-00011 The step createSLDDSUser with step key |NW_Addin_CI|ind|ind|ind|ind|0|0|SAP_Software_Features_Configuration|ind|ind|ind|ind|12|0|NW_Usage_Types_Configuration_AS|ind|ind|ind|ind|0|0|NW_CONFIG_SLD|ind|ind|ind|ind|0|0|createSLDDSUser was executed with status ERROR .
User doesnt exist in SU01 - I cannot find it. When I try to create it manually, I have the same error
Some help?
Thanks in advancedAt the end I have created the user
Thanks -
HT201209 I have forgotten my security answers for my account and need to retrieve
I have forgotten my security answers for my account and need to retrieve so I can purchase products.
<Email Edited By Host>User to user forum.
Posting your email address on the internet is not a good idea.
http://support.apple.com/kb/HT5665 -
Dear Apple Support , I can't remember my security question answers , so Please help me to Create new Security Question for my Account . Best wishes
<Email Edited by Host>Welcome to the user to User Technical Support Forum provided by Apple.
Please do not post personal information on a Public Forum.
I have requested the Hosts remove it for you
For your issue...
See Here > Apple ID: Contacting Apple for help with Apple ID account security
Ask to speak with the Account Security Team...
Or Email Here > Apple Support iTunes Store Contact
More Info > Apple ID: All about Apple ID security questions
Note:
You can only set up and/or change a Rescue Email Before you forget the questions/answers. -
I can't remember my security question answers , so please help me to Create new Security Question for my Account : **********
, Best wishes
<Personal Information Edited by Host>We are fellow users here on these user-to-user forums, you're not talking to iTunes Support nor Apple - I've asked the hosts to remove your email address from your post (it's not a good idea to post personal info on any public forum).
If you have a rescue email address (which is not the same thing as an alternate email address) on your account then the steps half-way down this page will give you a reset link on your account : http://support.apple.com/kb/HT5312
If you don't have a rescue email address (you won't be able to add one until you can answer your questions) then you will need to contact Support in your country to get the questions reset.
Contacting Apple about account security : http://support.apple.com/kb/HT5699
When they've been reset (and if you don't already have a rescue email address) you can then use the steps half-way down the HT5312 link above to add a rescue email address for potential future use -
I forgot my security questions for itunes account
i forgot my security questions for itunes account
plz help meYou need to ask Apple to reset your security questions; ways of contacting them include clicking here and picking a method for your country, phoning AppleCare and asking for the Account Security team, and filling out and submitting this form.
(99646) -
Security answer for my account
I forget my security answer for my account , how can i get it ?
Alternatives for Help Resetting Security Questions and Rescue Mail
1. Apple ID- All about Apple ID security questions.
2. Rescue email address and how to reset Apple ID security questions
3. Apple ID- Contacting Apple for help with Apple ID account security.
4. Fill out and submit this form. Select the topic, Account Security.
5. Call Apple Customer Service: Contacting Apple for support in your
country and ask to speak to Account Security.
How to Manage your Apple ID: Manage My Apple ID -
Tracking and logging of user accounts
how to do tracking and logging of user accounts... monitoring of user accounts... please help
<a href="http://help.sap.com/saphelp_nw04s/helpdata/en/2d/b8be3befaefc75e10000000a114084/content.htm">ST03N</a>
-
I want to change the security questions for my account , For I have forgotten
I want to change the security questions for my account , For I have forgotten
Reset Security Questions
Frequently asked questions about Apple ID
Manage My Apple ID
Or you can email iTunes Support at iTunes Store Support.
If all else fails:
1. Go to: Apple Express Lane;
2. Under Product Categories choose iTunes;
3. Then choose iTunes Store;
4. Then choose Account Management;
5. Now choose iTunes Store Security, choose country, then click
Continue;
6. Under ‘more options’ choose/click/tap the email icon. Fill out the form with your contact information. Describe your issue in the text box. ‘Cannot remember answers to security questions, need to have them reset’.
You should get a response within 24-48 hours by email.
In the event you are unsuccessful then contact AppleCare - Contacting Apple for support and service -
Hello
I have a problem in calculating the apple id Can you help me please
I forgot answer security questions for your account How can knowledge
Please help
Please reply as soon as possible
I can not buy from camels Store
And the rest of the account balance $25
Message was edited by: lingo azamI think you mean App Store.
Rescue email address and how to reset Apple ID security questions
Maybe you are looking for
-
Can I work from external hard drive?
I have a client with a current non-Intel PowerBook and ready to go for Final Cut Studio. Can any of the 40 gigabytes of installed data be moved to an external drive, deleted from the PowerBook and accessed from the external drive? Ken [email protecte
-
How many times do I need to refuse Verizon Selects before you accept my out OUT choice?
I don't want to join now, I do not wish in the future, and you're starting t **** me off with the **** weekly prompts on my phone! I've refused at least a hall f dozen times, how many times do I gave to say "No!" before you pay attention to my decisi
-
Sharpen / dodge / burn tool changes from circle to bullseye
Why does the sharpen / dodge / burn tool sometimes change from a circle to a bullseye in CS6 ? I have pixels adjusted up.
-
Update the VBUND in BSEG from FB50
Hi , Thanks for the reply.... Is there any substitution programs or exists to update the VBUND in BSEG from FB50??? We need to update the VBUND from T880-RCOMP. where we need write this peace of code? Thanks, Sridhar
-
Oracle Forms: Build Internet Applications correct configuration
I want to study for the Oracle Forms: Build Internet application exam (IZ0-141) is this exam specified by oracle versions? Forms for 9i looks a little different that forms for 10g. If it is for 9i the download for Oracle9i Application Server is no lo