Created On 09/26/18 13:49 PM - Last Modified 02/07/19 23:45 PM
This document explains how to check user IP mappings on the AD server.
On the AD server we need to create a Custom view and filter with the event id of 4624.
Event ID 4624
This event is generated when a logon session is created. It is generated on the computer that was accessed. This event is controlled by the security policy setting Audit logon events.
Now that you have your centralized log, you can setup how you want to view the information. Consider that you might have thousands of different events logged, with hundreds of event IDs. You would not want to try and sift through all of these events just looking for those events that meet a specific event ID. You don’t have to do that!
Click any one of the audit. There you should be able to view the username as well as the IP address associated with it.
The subject fields indicate the account on the local system that requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. The workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested