Who? What? Where?
We have a vanilla 2008 r2 domain with windows 7 PC's. We've recently had a security breach where a student was able to log on as a member of staff. I'm not surprised because a lot of staff leave their PC's unlocked despite us telling them numerous times!
Is there a way of finding out who logged on a certain PC during the day?
Do you use SCCM? There is a report in there somewhere.
Other than that as Sunny said check the local system logs
system configuration virtual machine manager. A compl,ex bit of software for deploying os/apps to pc(s) and monitoring them
Originally Posted by sippo
errr.. System Center Configuration Manager actually.
Originally Posted by sted
the SCVMM part is for managing virtual hosts/guests....
OT: if you know the machine, check through the security log. However if they logged on *as* a teacher, you'll only see that account logon.
if you don't know the machine, the DCs security logs are the place to look.
Also, you say you're not surprised cause the machine may have been unlocked - in that case you won't have a logon event, as the logon will have taken place when the teacher logged in.
Make any kind of sense?
And DC security logs.
Le edit: great minds, Domino...
Is SCCM free?
I have checked the logs and nothing for the day in question. No-one logged in on that PC. The Teacher was out and a supply teacher was covering for the day.
If staff were more security deligent this issue wouldn't occur but there's only so many times we can tell them. As for autolock, we have tried that and it went down a treat (Sarcasm).
There is an interview today with the student and they are hoping he will confess.
If you definitely know the PC this happened on, but not the member of staff whose account was used, the event logs can show who logged onto a system (Windows Logs, Security.. Created by Microsoft Windows Security Auditing with an ID of 4624) - the logon types you'll be interested in are likely 2 and 7 (Local and Unlock respectively), but this won't really tell you an amazing amount, just the account that was used and when it was logged on, but no information about the child that actually did it.
Type 7 at the time of the incident may imply the student actually knows the staff members password, rather than the workstation being left unlocked. More likely is a Type 2 a little while before (i.e. staff member logs on and toddles off to do something else)
Edit: Didn't see you replying as I did. If there are no logon records for that day in the local machine's event log, what makes you think it was that particular machine? How have you pinned it down?
Unless you are auditing logon/logoff on the machines I don't think you'll see it plus you'll only see the actual account used and I would think you'd know that anyway?
We run a script that logs all staff and admin logins and the computer they logon at to a text file each day.
For admins we also use bmail.exe to send an email to me whenever we login. If anyone ever did have our logins we would know about it hopefully.
rem The following line creates a rolling log file of usage by workstation
echo Log In %Date% %TIME% %USERNAME% >> \\servername\Logs\Computer\%COMPUTERNAME%.log
rem The following line creates a rolling log file of usage by user
echo Log In %Date% %TIME% %COMPUTERNAME% >> \\servername\Logs\User\%USERNAME%.log
Makes it easy to check for any unauthorized access.
\\server\scripts$\bmail.exe -s smtpserver -t email@example.com -f firstname.lastname@example.org -b "::Logged:: Administrator has just logged on at [%computername%]"
I built a little program that when a user logs in, it runs the EXE and parses all the data like PC Name, Username, Time/Date into a MySQL Database ("active users" and "logs"), when they log off it removes them from the "active users" table.
I then built a small PHP page with a graph to show user logins at certain times, how many users logged in - multiple users logged in etc etc
Event Viewer is your friend - audit logs and SCCM should tell you what account was logged into that machine around that time.
IMO If it's definitely the Teacher's log-in details, but he wasn't in, the responsibility for that account would STILL lay with the Teacher (Regardless of your scripts alerting you - some good ones there too, might pinch that!).
It's still his/her account, and his/her password - nobody else should have access to it, and if they've left it logged in and unlocked recently then they've compromised it so that little Billy can change the password or learn what it is for use at a later time.
If the Student confesses, then great. But I'd still pull the Teacher in and remind them that the account is for Teachers and has a lot of confidential data and make it clear that they shouldn't leave it logged in/unlocked, or give people their details. Might be worth firing out an email to all Staff as well, using this as an example.
You wouldnt want to share this with those of us who are carp at programming would you?
Originally Posted by SovietRussia