"

Why is the “Workstation” field reported as “unknown”?

Last review: Jul 07, 2013
https://kb.netwrix.com/744
Copy Article URL Copied

Why is the “Workstation” field returned as “unknown” in Change Summaries, reports, and search results?


This can be caused by one of the following:

  1. Security log overwrites. For example, a user logged to the workstation from which a change was made before Netwrix Auditor was installed, and log overwrites occurred before the product ran the first data collection. For instructions on how to configure the Security event log size and retention policy to prevent log overwrites, refer to https://helpcenter.netwrix.com/Configure_IT_Infrastructure/AD/AD_Security_Log_Size.html. This cause is usually accompanied by corresponding errors in the Netwrix Auditor System Health log.
  2. Audit policies are configured incorrectly. You can configure them automatically in Netwrix Auditor, or manually. For instructions, refer to https://helpcenter.netwrix.com/Configure_IT_Infrastructure/AD/AD_Advanced_Policy.html and https://helpcenter.netwrix.com/Configure_IT_Infrastructure/AD/AD_Domain_Audit_Policies.html. This cause is usually accompanied by corresponding errors in the Netwrix Auditor System Health log.
  3. The change to the audited domain was made through the interface of Exchange Server installed in a different domain.
  4. The change to the audited domain was made through Exchange Management Shell with the impersonation of another user’s account. For example, a user logged to a workstation under their account and then opened a different session through Exchange Management Shell which enabled them to perform operations by using the permissions associated with another user’s account.
  5. Native Windows logon events lack the information on the IP address of the originating workstation.
  6. The change was made under a computer account (e.g., computer password resets, account lockouts, changes to Service Principal names, etc.). This is the most popular reason. In order to confirm it, please check ‘Who’ field of the corresponding change – if the account name ends with ‘$’ – this is a computer account and the workstation is expected to be ‘unknown’.
Go Up