+ Post New Thread
Results 1 to 14 of 14
General Chat Thread, Who? What? Where? in General; We have a vanilla 2008 r2 domain with windows 7 PC's. We've recently had a security breach where a student ...
  1. #1

    sippo's Avatar
    Join Date
    May 2008
    Location
    Swindon, Wiltshire
    Posts
    1,733
    Thank Post
    136
    Thanked 190 Times in 135 Posts
    Rep Power
    152

    Who? What? Where?

    We have a vanilla 2008 r2 domain with windows 7 PC's. We've recently had a security breach where a student was able to log on as a member of staff. I'm not surprised because a lot of staff leave their PC's unlocked despite us telling them numerous times!

    Is there a way of finding out who logged on a certain PC during the day?

  2. #2
    Sunnyknight's Avatar
    Join Date
    Mar 2013
    Location
    Above the clouds and under the core of the earth
    Posts
    1,487
    Thank Post
    123
    Thanked 127 Times in 90 Posts
    Rep Power
    72
    Check the logs?

  3. Thanks to Sunnyknight from:

    sippo (16th October 2013)

  4. #3
    HaleStorm's Avatar
    Join Date
    Jun 2008
    Location
    Sheffield
    Posts
    1,032
    Thank Post
    89
    Thanked 164 Times in 144 Posts
    Rep Power
    93
    Do you use SCCM? There is a report in there somewhere.
    Other than that as Sunny said check the local system logs

  5. Thanks to HaleStorm from:

    sippo (16th October 2013)

  6. #4

    sippo's Avatar
    Join Date
    May 2008
    Location
    Swindon, Wiltshire
    Posts
    1,733
    Thank Post
    136
    Thanked 190 Times in 135 Posts
    Rep Power
    152
    what is sccm?

  7. #5


    Join Date
    Mar 2009
    Location
    Leeds
    Posts
    6,646
    Thank Post
    229
    Thanked 865 Times in 743 Posts
    Rep Power
    297
    Quote Originally Posted by sippo View Post
    what is sccm?
    system configuration virtual machine manager. A compl,ex bit of software for deploying os/apps to pc(s) and monitoring them

  8. #6

    Domino's Avatar
    Join Date
    Oct 2006
    Location
    Bromley
    Posts
    4,177
    Thank Post
    217
    Thanked 1,291 Times in 801 Posts
    Blog Entries
    4
    Rep Power
    512
    Quote Originally Posted by sted View Post
    system configuration virtual machine manager. A compl,ex bit of software for deploying os/apps to pc(s) and monitoring them
    errr.. System Center Configuration Manager actually.

    the SCVMM part is for managing virtual hosts/guests....

    OT: if you know the machine, check through the security log. However if they logged on *as* a teacher, you'll only see that account logon.

    if you don't know the machine, the DCs security logs are the place to look.

    Also, you say you're not surprised cause the machine may have been unlocked - in that case you won't have a logon event, as the logon will have taken place when the teacher logged in.

    Make any kind of sense?

  9. #7

    Ephelyon's Avatar
    Join Date
    Aug 2008
    Location
    Cheshire, England
    Posts
    1,708
    Thank Post
    299
    Thanked 328 Times in 201 Posts
    Rep Power
    143
    And DC security logs.

    Le edit: great minds, Domino...

  10. #8

    sippo's Avatar
    Join Date
    May 2008
    Location
    Swindon, Wiltshire
    Posts
    1,733
    Thank Post
    136
    Thanked 190 Times in 135 Posts
    Rep Power
    152
    Is SCCM free?

    I have checked the logs and nothing for the day in question. No-one logged in on that PC. The Teacher was out and a supply teacher was covering for the day.

    If staff were more security deligent this issue wouldn't occur but there's only so many times we can tell them. As for autolock, we have tried that and it went down a treat (Sarcasm).

    There is an interview today with the student and they are hoping he will confess.

  11. #9


    Join Date
    Jan 2012
    Posts
    2,753
    Thank Post
    1,008
    Thanked 386 Times in 290 Posts
    Rep Power
    218
    If you definitely know the PC this happened on, but not the member of staff whose account was used, the event logs can show who logged onto a system (Windows Logs, Security.. Created by Microsoft Windows Security Auditing with an ID of 4624) - the logon types you'll be interested in are likely 2 and 7 (Local and Unlock respectively), but this won't really tell you an amazing amount, just the account that was used and when it was logged on, but no information about the child that actually did it.

    Type 7 at the time of the incident may imply the student actually knows the staff members password, rather than the workstation being left unlocked. More likely is a Type 2 a little while before (i.e. staff member logs on and toddles off to do something else)


    Edit: Didn't see you replying as I did. If there are no logon records for that day in the local machine's event log, what makes you think it was that particular machine? How have you pinned it down?
    Last edited by Garacesh; 16th October 2013 at 09:24 AM.

  12. #10

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,713
    Thank Post
    667
    Thanked 1,636 Times in 1,462 Posts
    Rep Power
    424
    Unless you are auditing logon/logoff on the machines I don't think you'll see it plus you'll only see the actual account used and I would think you'd know that anyway?

    Ben

  13. #11
    zag
    zag is offline
    zag's Avatar
    Join Date
    Mar 2007
    Posts
    3,829
    Thank Post
    918
    Thanked 422 Times in 355 Posts
    Blog Entries
    12
    Rep Power
    88
    We run a script that logs all staff and admin logins and the computer they logon at to a text file each day.

    PHP Code:
    rem The following line creates a rolling log file of usage by workstation 
    echo Log In %Date% %TIME% %USERNAME% >> \\servername\Logs\Computer\%COMPUTERNAME%.log

    rem The following line creates a rolling log file of usage by user 
    echo Log In %Date% %TIME% %COMPUTERNAME% >> \\servername\Logs\User\%USERNAME%.log 
    For admins we also use bmail.exe to send an email to me whenever we login. If anyone ever did have our logins we would know about it hopefully.

    PHP Code:
    \\server\scripts$\bmail.exe -s smtpserver -t email@school.co.uk -f schoolname@gmail.com -"::Logged:: Administrator has just logged on at [%computername%]" 
    Makes it easy to check for any unauthorized access.
    Last edited by zag; 16th October 2013 at 09:36 AM.

  14. #12
    SovietRussia's Avatar
    Join Date
    Mar 2013
    Location
    Powys, Wales
    Posts
    642
    Thank Post
    70
    Thanked 145 Times in 111 Posts
    Rep Power
    47
    I built a little program that when a user logs in, it runs the EXE and parses all the data like PC Name, Username, Time/Date into a MySQL Database ("active users" and "logs"), when they log off it removes them from the "active users" table.

    I then built a small PHP page with a graph to show user logins at certain times, how many users logged in - multiple users logged in etc etc

  15. #13
    happymeal's Avatar
    Join Date
    May 2011
    Location
    Darwen
    Posts
    446
    Thank Post
    88
    Thanked 97 Times in 60 Posts
    Rep Power
    52
    Event Viewer is your friend - audit logs and SCCM should tell you what account was logged into that machine around that time.

    IMO If it's definitely the Teacher's log-in details, but he wasn't in, the responsibility for that account would STILL lay with the Teacher (Regardless of your scripts alerting you - some good ones there too, might pinch that!).

    It's still his/her account, and his/her password - nobody else should have access to it, and if they've left it logged in and unlocked recently then they've compromised it so that little Billy can change the password or learn what it is for use at a later time.

    If the Student confesses, then great. But I'd still pull the Teacher in and remind them that the account is for Teachers and has a lot of confidential data and make it clear that they shouldn't leave it logged in/unlocked, or give people their details. Might be worth firing out an email to all Staff as well, using this as an example.

  16. #14

    fiza's Avatar
    Join Date
    Dec 2008
    Location
    London
    Posts
    2,169
    Thank Post
    430
    Thanked 314 Times in 265 Posts
    Rep Power
    153
    Quote Originally Posted by SovietRussia View Post
    I built a little program that when a user logs in, it runs the EXE and parses all the data like PC Name, Username, Time/Date into a MySQL Database ("active users" and "logs"), when they log off it removes them from the "active users" table.

    I then built a small PHP page with a graph to show user logins at certain times, how many users logged in - multiple users logged in etc etc
    You wouldnt want to share this with those of us who are carp at programming would you?

SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 177
    Last Post: 7th July 2014, 12:56 PM
  2. Ok - what/wheres the Conference plan?
    By SimpleSi in forum General Chat
    Replies: 26
    Last Post: 30th May 2013, 07:35 AM
  3. Who/what regulates ISPs?
    By Chuckster in forum General Chat
    Replies: 3
    Last Post: 30th November 2010, 03:49 PM
  4. MCSE training. What? Where? And how much?
    By Vstar in forum Windows
    Replies: 12
    Last Post: 25th June 2010, 11:00 AM
  5. What is your school policy for pupils who access porn?
    By woody in forum School ICT Policies
    Replies: 24
    Last Post: 8th November 2005, 10:47 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •