Tracking Admin Logon

Archived from groups: microsoft.public.win2000.security (More info?)

We have multiple domain controllers in our environment, with multiple domain admins. We have created a special account for domain admins. We have also enable Auditing on accounts. The problem is that the admins logs in using their regular (non admin Id ) and then uses the 'RUN AS' Option to run the active directory users - admin tool to make changes to the user accounts. The system generates a log for any changes made eg to the Global groups. Since they do not interacivtely login using their admin ID, there is no corresponding logs recorded for their log in.
Is there a way to monitor, the user / system that was used to logon to the domain and then 'use RUN AS' option to execute the other tools ????
1 answer Last reply
More about tracking admin logon
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    First you would have to enable auditing of logon events on computers where you want
    to track runas use. Then you can look for Event ID's 528 and 538 that use "seclogon"
    [which
    is secondary logon] as the logon process for those users. You can use Event Comb,
    free from MS, to
    scan multiple computers by entering seclogon in the text box and events 528 and 538
    as events to search for. Those would be for successful logons using runas. If you
    also want to track failed logons you will have to scan for more event id's as shown
    in the link below. --- Steve

    http://www.microsoft.com/resources/documentation/WindowsServ/2003/datacenter/proddocs/en-us/Default.asp?url=/resources/documentation/windowsserv/2003/datacenter/proddocs/en-us/518.asp


    "Magi" <Magi @discussions.microsoft.com> wrote in message
    news:38125946-73FF-4388-9AF6-B5C0239E1D28@microsoft.com...
    > We have multiple domain controllers in our environment, with multiple domain
    admins. We have created a special account for domain admins. We have also enable
    Auditing on accounts. The problem is that the admins logs in using their regular (non
    admin Id ) and then uses the 'RUN AS' Option to run the active directory users -
    admin tool to make changes to the user accounts. The system generates a log for any
    changes made eg to the Global groups. Since they do not interacivtely login using
    their admin ID, there is no corresponding logs recorded for their log in.
    > Is there a way to monitor, the user / system that was used to logon to the domain
    and then 'use RUN AS' option to execute the other tools ????
    >
Ask a new question

Read More

Domain Active Directory Windows