| KB ID: | 10005 |
| Last Revision: | November 26, 2006 |
| Version: | 1.0 |
Search: Find all computers that a specific user has logged onto.
The primary logons to a computer are logged as:
- Successful Logon (ID: 528)
- Service Ticket Request (ID: 673)
On top of Successful Logons (ID: 528), logons to remote machines might be logged as a Service Ticket Request (ID: 673). Service Ticket Requests are more accurate when using Log Fidelity's solution because domain controllers log multiple identical Service Ticket Requests during the entire session when the user is logged on, but Log Fidelity's solution filters out all the multiple Service Ticket Requests and only logs one Service Ticket Request when the logon actually happens. The only difference between Successful Logons and Service Ticket Requests is that the IP logged by a Successful Logon sometimes contains the IP address of the remote computer if the user is logging in remotely via Terminal Service (aka Remote Desktop) whereas the IP logged in the Service Ticket Request is always the IP Address of the computer being logged onto.
PREREQUISITES
The name (aka sAMAccountName) of the user.
ESTIMATED QUERY TIME
< 1 second.
METHOD 1 (Advanced Search)
1. Enter the username in the
Client Name field.
2. Enter the computer name in
the Target Name field.
3. Select Logon Events only.
4. Select "Success" in the Type field.
5. Click Submit.
LIKELY SCENARIOS IT APPLIES TO
- You want the usage information of a user account on a computer.
FINE TUNE YOUR SEARCH
If you know the time scope, domain of the computers, or want to restrict your searches to users in a specific domain you can fine tune your search.