We use some shared accounts (Yes I know it's bad, I am not allowed to change it.) Someone using the shared account is deleting data on a remote server so I need to figure out what computer they are using when they delete the file.

We have an Active Directory domain.
All PCs run Windows (2000/XP/Win7) and are domain members.

I have turned on auditing and can see the account deleting the file but I don't know of any way to get the computer account as well.

Can it be done?

Thanks for the link. It was informative.

If I read this correctly I am still at square #1.   


The key statement which seems to get glossed over is "closely followed by". If you have many users authenticating at or near the same time the "closely followed by" is kinda useless.

I can the username and ip from the security log but there is no way to tie them together conclusively.

Maybe I am missing something?

To see if the computer is logged on:
nbtstat -a <ip>

To find the users name, based solely on his username, then look at your local connection cache:
net send <username> "
nbtstat -c

Tomato, tomatoe... :p  Thanks for the catch.

Sorry, I don't get it. I thought you meant shared as in multiple people can log in with the same account. So you get the IP from the machine that's used to log in. How would you be able to figure out who's sitting at the machine? I don't think you can, unless you're able to find out who used the machine at a specific time.

You asked how to figure out which machine is being used when they delete the file.

Dust for finger prints, setup a video camera, or more serious suggestions would be to setup a key logger or review web proxy logs to see where the logged on user may have gone.

Yes I am talking about a user account shared among several people.

The crux of the issue is:

Nothing in the event log ties a user to a computer. If I have the Same ID logging on at the same time there is no way (that I see) to tie them together conclusively.

The computer and user both authenticate but these are seperate entries in the event log with nothing tying them together.

These are students so WebCams are not an option.

I think I may have to look at sniffing. Bummer. I don't know squat about that.