We use a management package that puts Security log data into a database, then produces reports detailing how long users have been logged on to a particular machine. However, since we upgraded from Windows NT 4.0 to Windows 2000, the workstation field for event ID 540 (successful network logon) is blank. The problem seems to be associated with the fact that Win2K uses Kerberos rather than NT LAN Manager (NTLM) for authentication. How can we get Win2K to log the workstation name properly?
When a Win2K system uses Kerberos for the logon, the OS doesn't capture the workstation name. Unlike NTLM, Kerberos is TCP/IP-based and doesn't use NetBIOS computer names during communication. However, you can obtain the workstation's IP address by looking at your domain controller's (DC's) Security log for events that the Audit account logon events audit category generates. When a user logs on to a network server, the user's workstation obtains a ticket to the server from a DC. If you've enabled Audit account logon events in your Default Domain Controllers Policy Group Policy Object (GPO), the DC will record logon events as event ID 673, which Figure 3 shows. The details of this event show the user involved, the server, and the workstation's IP address. You can use your DHCP server's log to determine the workstation's name from the IP address. For instructions about how to configure DHCP server logging, see FAQ 3885 on the JSI FAQ Web site (http://www.jsifaq.com/subh/tip3800/rh3885.htm).