Logon History File for Users/Log of User Actions?

[ShawnF]

I came in to work this morning and there was some suspicious activity performed on a Windows 2000 professional computer the night before. All our machines log on to a windows 2000 domain with 3 2000 servers. I would like to be able to trace any events/steps that occurred. One of our users admits to using the computer, but she says she logged on as her own porfile and not the administrator. Someone had to of logged on as administrator because that's the name the popped up in the user name field when the computer was turned on this morning. This user also happens to be the only person here that knows the admin password, and it's not a password that was easily guessable by others.

Is there a way for me to check if this person really logged on as herself, and what time she logged back off and logged on again as administrator? I am convinced this person logged on as admin and is lying, but I would like to get some proof. I would also like to try and track down whatever else this person might have been doing. I hate to do all of this, but what this person says they were doing and what they were observed to be doing (surfing the internet at a minimum) by a passer by is two different things. And because of whatever this person did last night, the Computer Manufacturer's (Dell) backup software was trying to run when logging in as Admin but it wouldn't complete because it was asking for the backup CD. There were several entries in the Event Viewer of the backup trying to run but not completing.

What can I do to investigate this? We have a firewall, but I don't think it's fully set up for logging yet. I've been working on that this week, but didn't get a chance to complete it. I'm new to this network admin thing......

 

[ShawnF]

Throughout the day Today I've learned how to set up logging in the firewall, and can figure out what's going on from this point on, but are there any W2k logs anywhere that show logons, either on the W2k server or on the W2k Professional client in question?

 

[yizhar]

HI.

In Active Directory Users and Computer, select your domain or a specific OU containing Win2000 computer accounts:
right-click & Properties,
Group Policy
Computer Settings
Security Settings
Local Policies
Audit Policy

Select the "Account Logon Events" for both success and fail.

Check Event viewer of the Domain Controllers and/or the local W2K PRO clients in the "Security" Event log.

This will not work for backword (what happened before) but only from now on.

Bye

Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[ShawnF]

Hello Yizhar,

I tried doing what you said, but I am not doing something right (obviously). When I go to Active Directory, it doesn't matter what group, server, folder etc. I right click on and select properties, I don't get a window that has a Group Policy button or tab, nor does it have the other steps you said to take. Can you help me out with what I'm doing wrong? I'm rather new at managing servers, hence my lack of knowledge....