How to check user IP mappings on an AD server

This document explains how to check user IP mappings on the AD server.

On the AD server we need to create a Custom view and filter with the event id of 4624.

Event ID 4624

This event is generated when a logon session is created. It is generated on the computer that was accessed. This event is controlled by the security policy setting Audit logon events.

Now that you have your centralized log, you can setup how you want to view the information. Consider that you might have thousands of different events logged, with hundreds of event IDs. You would not want to try and sift through all of these events just looking for those events that meet a specific event ID. You don’t have to do that!

Click any one of the audit. There you should be able to view the username as well as the IP address associated with it.

Here is the sample Audit Log:

An account was successfully logged on.

Subject:

                Security ID:                         NULL SID

                Account Name:                 -

                Account Domain:                             -

                Logon ID:                             0x0

Logon Type:                                       3

New Logon:

                Security ID:                         CSSPAN\administrator

                Account Name:                 Administrator

                Account Domain:                             CSSPAN

                Logon ID:                             0x19383cb1

                Logon GUID:                      {00000000-0000-0000-0000-000000000000}

Process Information:

                Process ID:                          0x0

                Process Name:                  -

Network Information:

                Workstation Name:        CHNLAB-FW57

                Source Network Address:            10.50.243.57

                Source Port:                       33960

Detailed Authentication Information:

                Logon Process:                  NtLmSsp

                Authentication Package:               NTLM

                Transited Services:          -

                Package Name (NTLM only):       NTLM V2

                Key Length:                        128

The subject fields indicate the account on the local system that requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. The workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.

                - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.

                - Transited services indicate which intermediate services have participated in this logon request.

                - Package name indicates which sub-protocol was used among the NTLM protocols.

                - Key length indicates the length of the generated session key. This will be 0 if no session key was requested