Parse Windows login event for specific details

Hi,
I have a windows event that I want to search for in the event log using Powershell. I've got the basics but can't find how to drill further into the details. This is what I have so far:
get-eventlog security | where{$_.eventid -eq 4624 -and $_.message -match "Logon Type:\s+3"}
The problem is in the event details I have the following:
An account was successfully logged on.
Subject:
   Security ID:       NULL SID
   Account Name:       -
   Account Domain:       -
   Logon ID:       0x0
Logon Type:           3
New Logon:
   Security ID:        test\administrator
   Account Name:       administrator
   Account Domain:        test
   Logon ID:       0x318df67
   Logon GUID:       {0b843e34-532c-e4c2-9577-2ee19684f472}
Process Information:
   Process ID:       0x0
   Process Name:       -
Network Information:
   Workstation Name:
   Source Network Address:   192.168.10.11
   Source Port:       51446
How can I query for this information, as for example there are 2 instances of Security ID....
Thanks
James
Alter De Ruine

This blog post does not fully match your request but it shows how to deal with eventlog data in powershell and using the toxml method:
http://www.normanbauer.com/2012/01/10/how-to-get-detailed-information-on-windows-boot-and-shutdown-performance-in-powershell/
Basically you'll need something like the following code to start with:
#Get events in security log with id 4624
$items = Get-WinEvent -FilterHashtable @{logname="Security"; id=4624;}
#Get first item as xml
$xmlitem = [xml]$items[0].ToXml()
#Get EventID
$xmlitem.Event.System.EventID
#Get logging computer
$xmlitem.Event.System.Computer
#Get computer
$xmlitem.Event.EventData.Data | where-object {$_.Name -eq "SubjectUserName"}
#Get account
$xmlitem.Event.EventData.Data | where-object {$_.Name -eq "TargetUserName"}
#Get logon type
$xmlitem.Event.EventData.Data | where-object {$_.Name -eq "LogonType"}
#Get ip address
$xmlitem.Event.EventData.Data | where-object {$_.Name -eq "IpAddress"}
#Get all data
$xmlitem.Event.EventData.Data
In your example the duplicyte Security IDs resolve to - I think - SubjectUserName and TargetUserName.

Similar Messages

PowerShell Script Get the User's Active Directory Fully Qualified Login Name for Specific Locked Out Accounts

I have a script which displays locked out accounts. It works great.
I'd like to display the fully qualified Active Directory Login Name instead of the LastName, First Name:
Example: Davis, Susan
Want instead: Domain\Susan.Davis
I'd also like to include an additional filter to look for only Domain\Susan.Davis OR Domain\Robin.Givens
Here is my script:
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain
$objSearcher.PageSize = 1000
$objSearcher.Filter = "(&(objectClass=User)(lockoutTime>=1))"
$colProplist = "name","samaccountname"
foreach ($i in $colPropList){$objSearcher.PropertiesToLoad.Add($i) | out-null}
$colResults = $objSearcher.FindAll()
foreach ($objResult in $colResults) {
$domainname = $objDomain.name
$samaccountname = $objResult.Properties.samaccountname
$user = [ADSI]"WinNT://$domainname/$samaccountname"
$ADS_UF_LOCKOUT = 0x00000010
if(($user.UserFlags.Value -band $ADS_UF_LOCKOUT) -eq $ADS_UF_LOCKOUT) {
$objResult.Properties.name
John
John

Sorry, I should have mentioned that the cmdlets I'm using are part of the Active Directory module. You'll need to install the RSAT (Win7+) to use them.
If you'd rather stick with your DirectorySearcher methods instead of moving to the AD module, you can adjust your output by using something like this instead:
if(($user.UserFlags.Value -band $ADS_UF_LOCKOUT) -eq $ADS_UF_LOCKOUT) {
"$domainname\$($objResult.Properties.samaccountname)"
$domainname might not be what you're expecting, just FYI.
As for filtering, you can add to the if statement and check for your known usernames only.
Don't retire TechNet! -
(Don't give up yet - 12,700+ strong and growing)

Business Transaction Event - for bank details

Hi
In tcode BP (Business Partner) - tab "Payment Transactions" there is a field for Bank Account.
In tcdoe FK02 (Change Vendor) - "Payment Transactions" in area "general data" there is a field Bank Account.
For BP the field Bank Account may be initial, but for Vendor (FK02) it is not allowed to be initial.
I have found out, that BTE (Business Transaction Event) could be a solution, but I don't know how to proceed with that.
In tcode FINF (BTE) there is an event with number 00003000 (Bank Detalis Check Routine: Alternative Check), but I don't know how I can use it, and/or how I implement the changes.
Has anybody an idea how to solve the issue?
Thanks.

Hi,
Assign your new function module in FIBF via Menu path Settings --> P/S function modules (or Process function modules, depending on the BTE you are using) --> ...of a customer. Enter the BTE number and the name of your new function module. Country and application should remain blank, unless the BTE you are using offers those feature
Check the link http://wiki.sdn.sap.com/wiki/display/Snippets/BusinessTransactionEvents+(BTE).
Thanks & Regards,
Neela
Edited by: Neela M B on Sep 2, 2010 4:03 PM

Click event for specific timeline label?

Hello,
I am creating an interactive map: San Diego Gaslamp Interactive Walking Map
...it is still in progress at the moment, so only a few things work.
This question is in regards to the "LODGING/ACCOMMODATIONS" menu on the right hand side.
I am trying to create 2 click events. Click to open and click to close, so I'm wondering if it's possible to do something like this:
if at label 2 sym.stop("label1");
if at label 1 sym.stop("label2");
I'm not sure how to code the "if at label 2" part...or if it's even possible.
Any help would be greatly appreciated!

Hi Redesign,
Thanks for the response!
I adjusted your code to my document and added the following to the "lodgingindexbutton", but it doesn't appear to be working:
var MyStop=0;
sym.$('lodgingindexbutton').bind("click",function(){if (MyStop==0){
sym.stop("lodgingstart");
MyStop=1;
} else {
sym.stop("lodgingover");
MyStop=0;
Not sure if I did something wrong?...
If you are up for it, I have attached the original files here:
http://adobe.ly/1vZTtqf
I am trying to add the "2 clicks" code to the "lodgingindexbutton".
You can get to it by double-clicking the Index in the upper right corner.
Then you will see the "lodgingindexbutton" at the top of the index.
As you can see, I currently have it set to just open, then you can close it by clicking the triangle.
This is working and will be fine, but I thought it would be nice to click open and click closed as it seems that what a user would want to do.
Any help would be appreciated. Thanks so much!!
Jason

Item Details - Event for 'Create', 'Close' buttons - possible?

Hi Friends,
I am looking for EPCF Events for Item Details iView. I am able to show the record in this iview by selectIdHandler. Now, i want to clear the iView content - the functionality when we click 'Close' button.
So, does any one of you know any Events to fire Create, Close buttons on Item Details iView?
Thanks,
Raags

Hello Raags,
Have you discovered how to trigger any of those events? I'm having a similar issue.
I need when I open the record to have it in Edit mode already, not to click the Edit button in order to get there.
Let me know if you discovered a solution.
Best regards,
Boris

Cannot open database "ReportServer" requested by the login. The login failed. Login failed for user 'USER LOGON'

I want to grant permissions to all domain users to view reports on our Report Server. Domain users are able to access our Report Server URL and folder, but when they click on a report item they get an error message:
"Cannot open database "ReportServer" requested by the login. The login failed. Login failed for user 'USER LOGON'"
I'm using windows authentication and configured the local service account in SSReportS Config Manager as the credentials to connect to the Report Server DB.
Can someone please help how I should properly do this step by step to give all domain users permissions to view a report in SSRS?
Thanks much! - Rookie DBA

Hi IWAR,
The error message "Cannot open database "ReportServer" requested by the login. The login failed. Login failed for user 'USER LOGON'" means the user 'USER LOGON' does not have permissions to access the "ReportServer" database.
To fix this issue, please verify that the user has a valid database user login. For more details, please refer to the following steps.
In SQL Server Management Studio, open Object Explorer and expand the Databases folder.
Expand the database in which to create the new database user.
Right-click the Security folder, point to New, and then click User.
On the General page, enter a name for the new user in the User name box.
In the Login name box, enter the name of a SQL Server login to map to the database user.
Click OK.
Reference:
http://technet.microsoft.com/en-us/library/ms156468(v=sql.105).aspx
Hope this helps.
Thanks,
Katherine Xiong
Katherine Xiong
TechNet Community Support

Windows Login Name and Password

Hi,
I am developing an application, which requires the windows login name for greeting and password for validating and granting privileges.
Could someone please give me the pseudo code for getting the windows login name and password.
Thanks,
Mitra.

I'll try to validate some other parameter instead of
password. The password will be stored but it will be
encrypted.Bad Thing (TM). Never store passwords.
When we are able to get the UserName using
JavaScript, why can't we get it using Java.I told you how to get it. And what does Javascript have to do with anything? Just because you can drive through a very narrow alley with your bicycle, you should be able to do the same with a truck? Javascript and Java are not related in any way.

Window close event

hai friends
have a peace day.
i want to capture a window close event.
for eg. while closing the window i want display alert msg.
its work into forms but i want in main window.
please give me sample code
thanks
rex

hai thanks
i have one more doubt.
there was a problem in my project
if click signout button my database change properly YES to NO
but without signout they close the window , there was a problem
the database would not change.
how can i restrict this one.
give idea.
thanks
rex
Message was edited by:
kingofpeace

TS1702 Apps asking for specific information before launch including apple I.D.??? Is this safe?

A recent app I downloaded named death rally was asking for specific details regarding my iTunes account including my password my name and childhood names which are common security passwords and it requires this information before the game will launch. Is this safe? If does not appear to be however since it is from apple is it not protected and secure to use?

Have you restarted your iPad or reset the device since you downloaded this game? Or even quit the game completely and restrt the iPad? I don't know if that would clear this issue up, but frankly, I just don't think that the game should be behaving like this. I have never heard of an app requiring multiple security questions.
Is this a Game Center game? I have a Game Center account, but other than a user name and password, I don't ever recall the game requesting security answers.

AnyConnect pre Windows login connects and disconnects for some users

Hi,
I have Cisco VPN AnyConnect (version 3.1.0310) clients with a connectivity issue which manifests as follows:
A user boots their Windows 7 SP1 laptop up.
Before Windows login, the user clicks "switch user" and enters their Cisco AnyConnect credentials (this connects OK).
Once the VPN tunnel is established a user logs into Windows.
At this point, 1 of 2 things happen:
1. Most users VPN connection stays connected and user GPO processing\logins work as normal
2. For a minority of users, the VPN connection disconnects and then reconnects. The VPN disconnect and reconnect causes connectivity issues with mapped drives and Outlook (most likely due to GPO processing not applying as the VPN tunnel wasn't established at the required time).
There are no known commanalities between problematic users - all users are in the same OU and laptops are in the same OU, so they should be getting the same AD settings. The same user can login 14 times OK, but may experience this issue on the 15th occasion.
Within the profile xml file (stored in c:\program data\) the key "AutoConnectStart" is set to false for user controllable and default value. The XML policy settings are being applied correctly (we've checked Event ID 3010 within the Cisco AnyConnect Windows logs).
What we have noticed from using the back end Cisco monitoring client is that users who experience connection issues, connect pre windows login OK, but once they're logged into Windows the Cisco VPN AnyConnects seems to try and re-connect, which causes the current VPN tunnel to disconnect and re-connect. This disconnect and re-connect for users seems to cause issues with logon and GPO processing.
So far, the only rock solid way we've found of stopping this disconnect and re-connect behaviour is by configuring a system deny permission on registry key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run". This key contains an entry for Cisco AnyConnect VPN. Unfortunately setting a deny on the individual node value isn't possible and if the key is deleted or modified the system re-creates it. I'd rather avoid setting a system deny on the key for all users.
Any advice on how troubleshoot and diagnose this problem is appreciated.
Thanks

I've attached some log files in case someone is particularly keen eyed at spotting issues (all data is anonymized)
6
Oct 30 2013
10:19:31
172.16.12.17
58124
10.5.128.21
8080
Built inbound TCP connection 123678229 for outside:172.16.12.17/58124 (172.16.12.17/58124)(LOCAL\jpk789) to inside:10.5.128.21/8080 (10.5.128.21/8080)
6
Oct 30 2013
10:19:31
172.16.12.17
58122
10.5.140.210
443
Teardown TCP connection 123678214 for outside:172.16.12.17/58122(LOCAL\jpk789) to inside:10.5.140.210/443 duration 0:00:00 bytes 11971 TCP Reset-O
6
Oct 30 2013
10:19:31
172.16.12.17
51368
10.5.141.155
53
Teardown UDP connection 123678191 for outside:172.16.12.17/51368(LOCAL\jpk789) to inside:10.5.141.155/53 duration 0:00:00 bytes 110
6
Oct 30 2013
10:19:31
172.16.12.17
58123
10.5.12.182
88
Built inbound TCP connection 123678217 for outside:172.16.12.17/58123 (172.16.12.17/58123)(LOCAL\jpk789) to inside:10.5.12.182/88 (10.5.12.182/88)
6
Oct 30 2013
10:19:31
172.16.12.17
62455
10.5.141.155
53
Teardown UDP connection 123678189 for outside:172.16.12.17/62455(LOCAL\jpk789) to inside:10.5.141.155/53 duration 0:00:00 bytes 430
6
Oct 30 2013
10:19:31
172.16.12.17
58122
10.5.140.210
443
Built inbound TCP connection 123678214 for outside:172.16.12.17/58122 (172.16.12.17/58122)(LOCAL\jpk789) to inside:10.5.140.210/443 (10.5.140.210/443)
6
Oct 30 2013
10:19:31
172.16.12.17
56197
10.5.141.155
53
Built inbound UDP connection 123678212 for outside:172.16.12.17/56197 (172.16.12.17/56197)(LOCAL\jpk789) to inside:10.5.141.155/53 (10.5.141.155/53)
6
Oct 30 2013
10:19:31
172.16.12.17
58121
10.5.12.179
389
Built inbound TCP connection 123678196 for outside:172.16.12.17/58121 (172.16.12.17/58121)(LOCAL\jpk789) to inside:10.5.12.179/389 (10.5.12.179/389)
6
Oct 30 2013
10:19:31
172.16.12.17
58120
10.5.12.199
80
Built inbound TCP connection 123678195 for outside:172.16.12.17/58120 (172.16.12.17/58120)(LOCAL\jpk789) to inside:10.5.12.199/80 (10.5.12.199/80)
6
Oct 30 2013
10:19:31
172.16.12.17
51368
10.5.141.155
53
Built inbound UDP connection 123678191 for outside:172.16.12.17/51368 (172.16.12.17/51368)(LOCAL\jpk789) to inside:10.5.141.155/53 (10.5.141.155/53)
6
Oct 30 2013
10:19:31
172.16.12.17
62458
10.5.12.182
389
Built inbound UDP connection 123678190 for outside:172.16.12.17/62458 (172.16.12.17/62458)(LOCAL\jpk789) to inside:10.5.12.182/389 (10.5.12.182/389)
6
Oct 30 2013
10:19:31
172.16.12.17
62455
10.5.141.155
53
Built inbound UDP connection 123678189 for outside:172.16.12.17/62455 (172.16.12.17/62455)(LOCAL\jpk789) to inside:10.5.141.155/53 (10.5.141.155/53)
6
Oct 30 2013
10:19:30
IPSEC: An inbound remote access SA (SPI= 0x67ED9B28) between 80.21.182.245 and 75.12.34.56 (user= jpk789) has been created.
6
Oct 30 2013
10:19:30
IPSEC: An outbound remote access SA (SPI= 0x9C00507E) between 80.21.182.245 and 75.12.34.56 (user= jpk789) has been created.
6
Oct 30 2013
10:19:30
Group User IP <75.12.34.56> AnyConnect session resumed connection from IP <75.12.34.56>.
5
Oct 30 2013
10:19:30
Local:80.21.182.245:4500 Remote:75.12.34.56:62457 Username:jpk789 SA UP. Reason: New Connection Established
4
Oct 30 2013
10:19:30
Local:80.21.182.245:4500 Remote:75.12.34.56:62457 Username:jpk789 Warning Configuration Payload request for attribute 0x7041 could not be processed. Error: Unknown/Unsupported Attribute
4
Oct 30 2013
10:19:30
Local:80.21.182.245:4500 Remote:75.12.34.56:62457 Username:jpk789 Warning Configuration Payload request for attribute 0x7040 could not be processed. Error: Unknown/Unsupported Attribute
4
Oct 30 2013
10:19:30
Local:80.21.182.245:4500 Remote:75.12.34.56:62457 Username:jpk789 Warning Configuration Payload request for attribute 0x703f could not be processed. Error: Unknown/Unsupported Attribute
4
Oct 30 2013
10:19:30
Local:80.21.182.245:4500 Remote:75.12.34.56:62457 Username:jpk789 Warning Configuration Payload request for attribute 0x703e could not be processed. Error: Unknown/Unsupported Attribute
4
Oct 30 2013
10:19:30
Local:80.21.182.245:4500 Remote:75.12.34.56:62457 Username:jpk789 Warning Configuration Payload request for attribute 0x703d could not be processed. Error: Unknown/Unsupported Attribute
4
Oct 30 2013
10:19:30
Local:80.21.182.245:4500 Remote:75.12.34.56:62457 Username:jpk789 Warning Configuration Payload request for attribute 0x703c could not be processed. Error: Unknown/Unsupported Attribute
4
Oct 30 2013
10:19:30
Local:80.21.182.245:4500 Remote:75.12.34.56:62457 Username:jpk789 Warning Configuration Payload request for attribute 0x703b could not be processed. Error: Unknown/Unsupported Attribute
6
Oct 30 2013
10:19:18
172.16.12.17
64287
10.5.12.182
445
Teardown TCP connection 123673186 for outside:172.16.12.17/64287(LOCAL\jpk789) to inside:10.5.12.182/445 duration 0:02:01 bytes 14605 Tunnel has been torn down
6
Oct 30 2013
10:19:17
172.16.12.17
64278
10.5.141.144
445
Teardown TCP connection 123672510 for outside:172.16.12.17/64278(LOCAL\jpk789) to inside:10.5.141.144/445 duration 0:02:15 bytes 9237 Tunnel has been torn down
6
Oct 30 2013
10:19:14
172.16.12.17
64273
10.5.140.231
445
Teardown TCP connection 123672368 for outside:172.16.12.17/64273(LOCAL\jpk789) to inside:10.5.140.231/445 duration 0:02:16 bytes 7297 Tunnel has been torn down
6
Oct 30 2013
10:19:04
172.16.12.17
54449
10.5.141.155
389
Teardown UDP connection 123672541 for outside:172.16.12.17/54449(LOCAL\jpk789) to inside:10.5.141.155/389 duration 0:02:01 bytes 366
6
Oct 30 2013
10:19:04
172.16.12.17
137
10.5.141.155
137
Teardown UDP connection 123672421 for outside:172.16.12.17/137(LOCAL\jpk789) to inside:10.5.141.155/137 duration 0:02:04 bytes 486
6
Oct 30 2013
10:19:00
172.16.12.17
138
10.5.141.155
138
Teardown UDP connection 123672424 for outside:172.16.12.17/138(LOCAL\jpk789) to inside:10.5.141.155/138 duration 0:02:01 bytes 177
6
Oct 30 2013
10:18:58
172.16.12.17
63666
10.5.141.155
389
Teardown UDP connection 123672316 for outside:172.16.12.17/63666(LOCAL\jpk789) to inside:10.5.141.155/389 duration 0:02:01 bytes 366
6
Oct 30 2013
10:18:58
172.16.12.17
53105
10.5.141.155
389
Teardown UDP connection 123672300 for outside:172.16.12.17/53105(LOCAL\jpk789) to inside:10.5.141.155/389 duration 0:02:01 bytes 366
6
Oct 30 2013
10:18:47
172.16.12.17
61715
10.5.12.182
389
Teardown UDP connection 123671945 for outside:172.16.12.17/61715(LOCAL\jpk789) to inside:10.5.12.182/389 duration 0:02:01 bytes 312
6
Oct 30 2013
10:18:43
172.16.12.17
54262
10.5.12.179
389
Teardown UDP connection 123671801 for outside:172.16.12.17/54262(LOCAL\jpk789) to inside:10.5.12.179/389 duration 0:02:01 bytes 355
6
Oct 30 2013
10:18:42
172.16.12.17
57911
10.5.141.156
389
Teardown UDP connection 123671777 for outside:172.16.12.17/57911(LOCAL\jpk789) to inside:10.5.141.156/389 duration 0:02:01 bytes 365
6
Oct 30 2013
10:18:40
172.16.12.17
123
10.5.12.182
123
Teardown UDP connection 123671670 for outside:172.16.12.17/123(LOCAL\jpk789) to inside:10.5.12.182/123 duration 0:02:01 bytes 136
6
Oct 30 2013
10:18:40
172.16.12.17
58107
10.5.12.179
389
Teardown UDP connection 123671639 for outside:172.16.12.17/58107(LOCAL\jpk789) to inside:10.5.12.179/389 duration 0:02:01 bytes 356
6
Oct 30 2013
10:18:40
172.16.12.17
58825
10.5.12.179
389
Teardown UDP connection 123671633 for outside:172.16.12.17/58825(LOCAL\jpk789) to inside:10.5.12.179/389 duration 0:02:02 bytes 355
6
Oct 30 2013
10:18:39
172.16.12.17
60424
10.5.141.156
389
Teardown UDP connection 123671611 for outside:172.16.12.17/60424(LOCAL\jpk789) to inside:10.5.141.156/389 duration 0:02:01 bytes 365
6
Oct 30 2013
10:18:38
172.16.12.17
56635
10.5.141.156
389
Teardown UDP connection 123671566 for outside:172.16.12.17/56635(LOCAL\jpk789) to inside:10.5.141.156/389 duration 0:02:01 bytes 365
6
Oct 30 2013
10:18:38
172.16.12.17
61204
10.5.12.179
389
Teardown UDP connection 123671558 for outside:172.16.12.17/61204(LOCAL\jpk789) to inside:10.5.12.179/389 duration 0:02:01 bytes 355
6
Oct 30 2013
10:18:38
172.16.12.17
50615
10.5.12.179
389
Teardown UDP connection 123671545 for outside:172.16.12.17/50615(LOCAL\jpk789) to inside:10.5.12.179/389 duration 0:02:01 bytes 355
6
Oct 30 2013
10:18:38
172.16.12.17
57940
10.5.141.154
389
Teardown UDP connection 123671537 for outside:172.16.12.17/57940(LOCAL\jpk789) to inside:10.5.141.154/389 duration 0:02:02 bytes 313
6
Oct 30 2013
10:18:38
172.16.12.17
57939
10.5.141.156
389
Teardown UDP connection 123671536 for outside:172.16.12.17/57939(LOCAL\jpk789) to inside:10.5.141.156/389 duration 0:02:02 bytes 366
6
Oct 30 2013
10:18:38
172.16.12.17
64495
10.5.12.182
389
Teardown UDP connection 123671532 for outside:172.16.12.17/64495(LOCAL\jpk789) to inside:10.5.12.182/389 duration 0:02:02 bytes 356
6
Oct 30 2013
10:18:37
172.16.12.17
62965
10.5.12.182
389
Teardown UDP connection 123671521 for outside:172.16.12.17/62965(LOCAL\jpk789) to inside:10.5.12.182/389 duration 0:02:01 bytes 356
6
Oct 30 2013
10:18:37
172.16.12.17
54994
10.5.12.179
389
Teardown UDP connection 123671514 for outside:172.16.12.17/54994(LOCAL\jpk789) to inside:10.5.12.179/389 duration 0:02:01 bytes 356
6
Oct 30 2013
10:18:37
172.16.12.17
54993
10.5.12.179
389
Teardown UDP connection 123671513 for outside:172.16.12.17/54993(LOCAL\jpk789) to inside:10.5.12.179/389 duration 0:02:01 bytes 356
6
Oct 30 2013
10:18:37
172.16.12.17
63390
10.34.140.104
389
Teardown UDP connection 123671483 for outside:172.16.12.17/63390(LOCAL\jpk789) to inside:10.34.140.104/389 duration 0:02:01 bytes 385
6
Oct 30 2013
10:18:37
172.16.12.17
63389
10.33.140.104
389
Teardown UDP connection 123671482 for outside:172.16.12.17/63389(LOCAL\jpk789) to inside:10.33.140.104/389 duration 0:02:01 bytes 384
6
Oct 30 2013
10:18:10
IPSEC: An inbound remote access SA (SPI= 0x5650EE30) between 75.12.34.56 and 80.21.182.245 (user= jpk789) has been deleted.
6
Oct 30 2013
10:18:10
IPSEC: An outbound remote access SA (SPI= 0x42DBDD66) between 80.21.182.245 and 75.12.34.56 (user= jpk789) has been deleted.
6
Oct 30 2013
10:18:10
Group User IP <75.12.34.56> AnyConnect session lost connection. Waiting to resume.
5
Oct 30 2013
10:18:10
Local:80.21.182.245:4500 Remote:75.12.34.56:57103 Username:jpk789 SA DOWN. Reason: peer lost
6
Oct 30 2013
10:17:42
172.16.12.17
64250
10.5.141.186
445
Teardown TCP connection 123671908 for outside:172.16.12.17/64250(LOCAL\jpk789) to inside:10.5.141.186/445 duration 0:00:57 bytes 454851 TCP Reset-I
6
Oct 30 2013
10:17:20
172.16.12.17
137
172.16.13.255
137
Teardown UDP connection 123673268 for outside:172.16.12.17/137(LOCAL\jpk789) to outside:172.16.13.255/137 duration 0:00:00 bytes 0
6
Oct 30 2013
10:17:19
172.16.12.17
137
172.16.13.255
137
Teardown UDP connection 123673244 for outside:172.16.12.17/137(LOCAL\jpk789) to outside:172.16.13.255/137 duration 0:00:00 bytes 0
6
Oct 30 2013
10:17:18
172.16.12.17
137
172.16.13.255
137
Teardown UDP connection 123673218 for outside:172.16.12.17/137(LOCAL\jpk789) to outside:172.16.13.255/137 duration 0:00:00 bytes 0
6
Oct 30 2013
10:16:36
172.16.12.17
63060
10.5.141.155
53
Built inbound UDP connection 123671551 for outside:172.16.12.17/63060 (172.16.12.17/63060)(LOCAL\jpk789) to inside:10.5.141.155/53 (10.5.141.155/53)
6
Oct 30 2013
10:16:36
172.16.12.17
63010
10.5.12.182
88
Built inbound TCP connection 123671549 for outside:172.16.12.17/63010 (172.16.12.17/63010)(LOCAL\jpk789) to inside:10.5.12.182/88 (10.5.12.182/88)
6
Oct 30 2013
10:16:36
172.16.12.17
63009
10.5.12.182
88
Built inbound TCP connection 123671548 for outside:172.16.12.17/63009 (172.16.12.17/63009)(LOCAL\jpk789) to inside:10.5.12.182/88 (10.5.12.182/88)
6
Oct 30 2013
10:16:36
172.16.12.17
63008
10.5.141.156
389
Built inbound TCP connection 123671546 for outside:172.16.12.17/63008 (172.16.12.17/63008)(LOCAL\jpk789) to inside:10.5.141.156/389 (10.5.141.156/389)
6
Oct 30 2013
10:16:36
172.16.12.17
50615
10.5.12.179
389
Built inbound UDP connection 123671545 for outside:172.16.12.17/50615 (172.16.12.17/50615)(LOCAL\jpk789) to inside:10.5.12.179/389 (10.5.12.179/389)
6
Oct 30 2013
10:16:36
172.16.12.17
63007
10.5.12.182
88
Built inbound TCP connection 123671544 for outside:172.16.12.17/63007 (172.16.12.17/63007)(LOCAL\jpk789) to inside:10.5.12.182/88 (10.5.12.182/88)
6
Oct 30 2013
10:16:36
172.16.12.17
55425
10.5.141.155
53
Teardown UDP connection 123671487 for outside:172.16.12.17/55425(LOCAL\jpk789) to inside:10.5.141.155/53 duration 0:00:00 bytes 164
6
Oct 30 2013
10:16:36
172.16.12.17
50614
10.5.141.155
53
Built inbound UDP connection 123671543 for outside:172.16.12.17/50614 (172.16.12.17/50614)(LOCAL\jpk789) to inside:10.5.141.155/53 (10.5.141.155/53)
6
Oct 30 2013
10:16:35
172.16.12.17
56263
10.5.141.156
53
Built inbound UDP connection 123671461 for outside:172.16.12.17/56263 (172.16.12.17/56263)(LOCAL\jpk789) to inside:10.5.141.156/53 (10.5.141.156/53)
6
Oct 30 2013
10:16:35
172.16.12.17
60708
10.5.141.155
53
Built inbound UDP connection 123671460 for outside:172.16.12.17/60708 (172.16.12.17/60708)(LOCAL\jpk789) to inside:10.5.141.155/53 (10.5.141.155/53)
6
Oct 30 2013
10:16:35
172.16.12.17
56982
10.5.141.156
53
Built inbound UDP connection 123671459 for outside:172.16.12.17/56982 (172.16.12.17/56982)(LOCAL\jpk789) to inside:10.5.141.156/53 (10.5.141.156/53)
6
Oct 30 2013
10:16:35
172.16.12.17
64548
10.5.141.155
53
Built inbound UDP connection 123671458 for outside:172.16.12.17/64548 (172.16.12.17/64548)(LOCAL\jpk789) to inside:10.5.141.155/53 (10.5.141.155/53)
6
Oct 30 2013
10:16:35
172.16.12.17
60827
10.5.141.156
53
Built inbound UDP connection 123671457 for outside:172.16.12.17/60827 (172.16.12.17/60827)(LOCAL\jpk789) to inside:10.5.141.156/53 (10.5.141.156/53)
6
Oct 30 2013
10:16:35
172.16.12.17
64207
10.5.141.155
53
Built inbound UDP connection 123671453 for outside:172.16.12.17/64207 (172.16.12.17/64207)(LOCAL\jpk789) to inside:10.5.141.155/53 (10.5.141.155/53)
6
Oct 30 2013
10:16:35
172.16.12.17
137
172.16.13.255
137
Teardown UDP connection 123671443 for outside:172.16.12.17/137(LOCAL\jpk789) to outside:172.16.13.255/137 duration 0:00:00 bytes 0
6
Oct 30 2013
10:16:35
172.16.12.17
137
172.16.13.255
137
Teardown UDP connection 123671442 for outside:172.16.12.17/137(LOCAL\jpk789) to outside:172.16.13.255/137 duration 0:00:00 bytes 0
6
Oct 30 2013
10:16:35
172.16.12.17
137
172.16.13.255
137
Teardown UDP connection 123671441 for outside:172.16.12.17/137(LOCAL\jpk789) to outside:172.16.13.255/137 duration 0:00:00 bytes 0
6
Oct 30 2013
10:16:34
IPSEC: An inbound remote access SA (SPI= 0x5650EE30) between 80.21.182.245 and 75.12.34.56 (user= jpk789) has been created.
6
Oct 30 2013
10:16:34
IPSEC: An outbound remote access SA (SPI= 0x42DBDD66) between 80.21.182.245 and 75.12.34.56 (user= jpk789) has been created.
5
Oct 30 2013
10:16:34
Local:80.21.182.245:4500 Remote:75.12.34.56:57103 Username:jpk789 SA UP. Reason: New Connection Established
4
Oct 30 2013
10:16:34
Local:80.21.182.245:4500 Remote:75.12.34.56:57103 Username:jpk789 Warning Configuration Payload request for attribute 0x7041 could not be processed. Error: Unknown/Unsupported Attribute
4
Oct 30 2013
10:16:34
Local:80.21.182.245:4500 Remote:75.12.34.56:57103 Username:jpk789 Warning Configuration Payload request for attribute 0x7040 could not be processed. Error: Unknown/Unsupported Attribute
4
Oct 30 2013
10:16:34
Local:80.21.182.245:4500 Remote:75.12.34.56:57103 Username:jpk789 Warning Configuration Payload request for attribute 0x703f could not be processed. Error: Unknown/Unsupported Attribute
4
Oct 30 2013
10:16:34
Local:80.21.182.245:4500 Remote:75.12.34.56:57103 Username:jpk789 Warning Configuration Payload request for attribute 0x703e could not be processed. Error: Unknown/Unsupported Attribute
4
Oct 30 2013
10:16:34
Local:80.21.182.245:4500 Remote:75.12.34.56:57103 Username:jpk789 Warning Configuration Payload request for attribute 0x703d could not be processed. Error: Unknown/Unsupported Attribute
4
Oct 30 2013
10:16:34
Local:80.21.182.245:4500 Remote:75.12.34.56:57103 Username:jpk789 Warning Configuration Payload request for attribute 0x703c could not be processed. Error: Unknown/Unsupported Attribute
4
Oct 30 2013
10:16:34
Local:80.21.182.245:4500 Remote:75.12.34.56:57103 Username:jpk789 Warning Configuration Payload request for attribute 0x703b could not be processed. Error: Unknown/Unsupported Attribute
6
Oct 30 2013
10:16:34
Group User IP <75.12.34.56> AnyConnect parent session started.
6
Oct 30 2013
10:16:34
DAP: User jpk789, Addr 75.12.34.56, Connection AnyConnect: The following DAP records were selected for this connection: ContosoPolicy
6
Oct 30 2013
10:16:34
AAA transaction status ACCEPT : user = jpk789
6
Oct 30 2013
10:16:34
AAA retrieved default group policy (DfltGrpPolicy) for user = jpk789
6
Oct 30 2013
10:16:34
AAA retrieved user specific group policy (useGroup1s.Grp) for user = jpk789
6
Oct 30 2013
10:16:34
AAA group policy for user jpk789 is being set to useGroup1s.Grp;
6
Oct 30 2013
10:16:34
AAA user authentication Successful : server = 192.168.7.4 : user = jpk789

2 windows logins, 2 ipods - sync specific ipod with userid ?

I use 2 different userids for my wife and son on our Dell desktop which uses Windows XP. They each have ipods with very different playlists under their userids. The problem is that my wife leaves her ipod connected to the usb port to charge it. If my son signs onto his userid and opens iTunes, it syncs his playlist to her iPod which is plugged in. Is there a way to associate the serial # of the iPod with a specific windows login so that it does not do the sync ?

Hey marcshap,
If the iPod is set to autosync to her user ID, then before it can be synced to another user ID logged in, it is likely someone is clicking yes to a prompt about "iPod is linked to another iTunes Library".
See the section about Automatic mode in this article for more information.
You also might want to consider Manual mode, see this article
Hope this helps,
Generik
PowerMac G4/Dell Precision WS 370, XP Pro Mac OS X (10.4.7)

Printer is asking for an user acces code instead of windows login and password?

I have been seeing the HP printers asking(LaserJet M4555 MFP, LaserJet 500 color MFP M575 etc) for user access code instead of windows login and password.
One thing i have noticed is that when this happens there is a slight change in the EWS page configuration at security -> access control.The device administrator tabe is unchecked as you can see below ehen this happens
Have tried cold resetting the printer and restore facory settings but this does not works and some thimes it does works for a while but the issue is returing back.
We do not need this access code promt instead we need the usual windows login and password that used be there originally.
alsothis is how the settings look like after a cold reset somtimes when it does not asks for user access code , the problem is cold rese does lways works and it reverts back ois original settings

@munish259272
‎Thank you for using HP Support Forum. I have brought your issue to the appropriate team within HP. They will likely request information from you in order to look up your case details or product serial number. Please look for a private message from an identified HP contact. Additionally, keep in mind not to publicly post ( serial numbers and case details).
If you are unfamiliar with the Forum's private messaging please click here to learn more.
Thank you,
Omar
I Work for HP

Cannot connect to SERVER. Login failed for user 'DOMAIN\user'. (Microsoft SQL Server, Error 18456) - SQL Server 2012 on Windows Server 2008 R2

I've seen multiple blogs and forums with similar problems and SQL 2012 or 2008. But no solutions that work for me.
I have installed SQL Server in mixed mode (SQL and Windows authentication). I can create new Login accounts in either mode. However, I cannot get an AD security group Login account to work. I am trying to add group 'DOMAIN\Domain Admins' or 'SERVER\Administrators'
as a Login so that any of the domain's administrator accounts can open SQL Server Management Studio and act as an 'sa' account on this server.
I have deleted the SQL account 'DOMAIN\Domain Admins'.
I have restarted SQL.
I have restarted the Win2K8r2 server.
I have launched SSMS as Administrator from the desktop of SERVER.
I have launched SSMS as another user (and used 'DOMAIN\user' to lauch it) from the desktop of SERVER.
I can create a login account named 'DOMAIN\user' (who happens to be a member of the 'DOMAIN\Domain Admins' group) and give this account 'sa' security, and when I do that, this account works as expected...
How do I add a security group as a Login account and give all members of that group the ability to be an 'sa' account?

Hi geoperkins,
Are you getting the following error message?
Error: 18456, Severity: 14, State: 11
Login failed for user <Domain\user>. Reason: Token-based server access validation failed with an infrastructure error.
If that is the case, the issue could be due to that the Windows login has no profile or that permissions could not be checked due to UAC. Please disable UAC firstly and check if it is successful to log in SQL Server.
Another reason could be that the domain controller could not be reached. You may need to resort to re-creating the login. Create a new group in AD, add users to the new group, then add the group to the local admin group and create login for the group in SQL
Server.
There is a connect item describing similar issue for your reference.
https://connect.microsoft.com/SQLServer/feedback/details/680705/cant-login-to-sql-using-windows-authentication-when-user-is-in-a-domain-security-group
For more details about above error, please review the following blog.
http://sqlblogcasts.com/blogs/simons/archive/2011/02/01/solution-login-failed-for-user-x-reason-token-based-server-access-validation-failed-and-error-18456.aspx
Thanks,
Lydia Zhang
Lydia Zhang
TechNet Community Support

User login report in Active Directory for specific date and time

I want to get User login report in Active Directory for specific date and time e.g user logged in at15-01-2015 from 8:00am to 4:00pm
Is any query, script or any tool available?
Waiting for reply please

You can identify the last logon date and time using my script here: https://gallery.technet.microsoft.com/scriptcenter/Get-Active-Directory-User-bbcdd771
If you would like to get back in time and see when the user did a logon / logoff then you need to have auditing enabled. Once done, you can records from Security log in the event viewer: https://social.technet.microsoft.com/Forums/windowsserver/en-US/98cbecb0-d23d-479d-aa65-07e3e214e2c7/manage-active-directory-users-logon-logoff-events
I have started a Wiki about how to track logon / logoff and it can help too: http://social.technet.microsoft.com/wiki/contents/articles/20422.record-logon-logoff-activities-on-domain-servers-and-workstations-using-group-policy.aspx
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile

Finding Windows Login details from R3 system

Friends,
   We have a requirement where we need to find the Windows login user ID of an employee from a SAP report. In the report we will be having a button. whenever we click on the button we should get that particular user's windows login ID.
The report will have SAP user ID.
Can you please help me out in this regard? Thanks in Advace.
Regards,
Sreethan

Use the FM GUI_GET_DESKTOP_INFO . Pl. refer the program given below for details.
REPORT ZEXAMPLE.
DATA: V_VALU(255)       TYPE C,
      INFOREQ           TYPE I VALUE '-2'.
WHILE INFOREQ NE 13.
CALL FUNCTION 'GUI_GET_DESKTOP_INFO'
EXPORTING
TYPE   = INFOREQ
CHANGING
RETURN = V_VALU.
CASE INFOREQ.
    WHEN '-2'.
      WRITE:/ 'SAP SYSTEM DIRECTORY:', V_VALU.
    WHEN '1'.
      WRITE:/ 'COMPUTER NAME:', V_VALU.
    WHEN '2'.
      WRITE:/ 'WINDOWS DIRECTORY:', V_VALU.
    WHEN '3'.
      WRITE:/ 'WINDOWS SYSTEM DIRECTORY:', V_VALU.
    WHEN '4'.
      WRITE:/ 'TEMPORARY DIRECTORY:', V_VALU.
    WHEN '5'.
      WRITE:/ 'WINDOWS USER NAME:', V_VALU.
    WHEN '6'.
      WRITE:/ 'WINDOWS OS:', V_VALU.
    WHEN '7'.
      WRITE:/ 'WINDOWS BUILD NUMBER:', V_VALU.
    WHEN '8'.
      WRITE:/ 'WINDOWS VERSION:', V_VALU.
    WHEN '9'.
      WRITE:/ 'SAP GUI PROGRAM NAME:', V_VALU.
    WHEN '10'.
      WRITE:/ 'SAP GUI PROGRAM PATH:', V_VALU.
    WHEN '11'.
      WRITE:/ 'SAP CURRENT DIRECTORY:', V_VALU.
    WHEN '12'.
      WRITE:/ 'DESKTOP DIRECTORY:', V_VALU.
ENDCASE.
INFOREQ = INFOREQ + 1.
ENDWHILE.

Parse Windows login event for specific details

Similar Messages

Maybe you are looking for