Sign in with
Sign up | Sign in
Your question

Tracking Admin Logon

Last response: in Windows 2000/NT
Share
Anonymous
July 27, 2004 2:12:31 PM

Archived from groups: microsoft.public.win2000.security (More info?)

We have multiple domain controllers in our environment, with multiple domain admins. We have created a special account for domain admins. We have also enable Auditing on accounts. The problem is that the admins logs in using their regular (non admin Id ) and then uses the 'RUN AS' Option to run the active directory users - admin tool to make changes to the user accounts. The system generates a log for any changes made eg to the Global groups. Since they do not interacivtely login using their admin ID, there is no corresponding logs recorded for their log in.
Is there a way to monitor, the user / system that was used to logon to the domain and then 'use RUN AS' option to execute the other tools ????

More about : tracking admin logon

Anonymous
July 27, 2004 9:58:00 PM

Archived from groups: microsoft.public.win2000.security (More info?)

First you would have to enable auditing of logon events on computers where you want
to track runas use. Then you can look for Event ID's 528 and 538 that use "seclogon"
[which
is secondary logon] as the logon process for those users. You can use Event Comb,
free from MS, to
scan multiple computers by entering seclogon in the text box and events 528 and 538
as events to search for. Those would be for successful logons using runas. If you
also want to track failed logons you will have to scan for more event id's as shown
in the link below. --- Steve

http://www.microsoft.com/resources/documentation/Window...


"Magi" <Magi @discussions.microsoft.com> wrote in message
news:38125946-73FF-4388-9AF6-B5C0239E1D28@microsoft.com...
> We have multiple domain controllers in our environment, with multiple domain
admins. We have created a special account for domain admins. We have also enable
Auditing on accounts. The problem is that the admins logs in using their regular (non
admin Id ) and then uses the 'RUN AS' Option to run the active directory users -
admin tool to make changes to the user accounts. The system generates a log for any
changes made eg to the Global groups. Since they do not interacivtely login using
their admin ID, there is no corresponding logs recorded for their log in.
> Is there a way to monitor, the user / system that was used to logon to the domain
and then 'use RUN AS' option to execute the other tools ????
>
!