You would like to know if the SWG DC Interface monitors logoff events and if a logoff event will cause the SWG to remove a host/IP to login name association.
The DC Interface and SWG only monitor logon events to determine the last user that has logged in to an IP/host. The DC Interface and SWG do not monitor logoff events to remove host/IP to login name associations.
For example, take the following scenario:
User A logs in to machine C using a domain login
-The SWG will see this login event and all browsing activity from machine C will be registered under User A
User A logs off from machine C, User B logs in to machine C using a local system account (no logon information is sent to the Domain Controller since a domain account was not used)
-Since the SWG has not seen any new login events for machine C all browsing activity for User B will be logged under User A. The SWG will continue to log all activity as coming from User A until a new login event is registered for machine C or until the login name to host/IP association expires. (The SWG is working as designed)
There is currently no way to change this behavior and the SWG is working as designed. To mitigate this kind of scenario Symantec urges customers to limit the ability for users to log on locally by computer/domain policy.
DC Interface is being used to determine user login names. This information does not apply to NTLM authentication.
Imported Document ID: TECH161101
Subscribing will provide email updates when this Article is updated. Login is required.