Tracking Kerberos Authentication Events to Workstations

I'm trying to track down security violations that are originating within our network. I can tell that someone is using compromised accounts, but I can't connect those accounts to particular workstations or users. I've read that when a Windows 2000 domain controller (DC) logs authentication events, the DC can't record the workstation name if the Kerberos authentication protocol was used. All our computers are Win2K or later, so all our authentication takes place through Kerberos. How can I determine the name of the workstation being used to violate security?

When you enable the Audit account logon events audit category on Win2K DCs, Kerberos events don't include the workstation name. However, they do include the client IP address, as Figure 1 shows. You need to track down the IP address in your DHCP server logs to find the MAC address, then use it to find the computer. For details on how to use DHCP server logs, see Ask the Experts, "Differentiating Event ID 530 Logon Failures," September 2003, InstantDoc ID 39773.