How do I monitor a user?

My boss is suspecting a user in my company of performing illegal activities.
I have a windows 2000 activie directory domain and the clients are windows xp.
I need to be able to monitor the activities of the user to determine and collect information for legal actions.
I would like to be able to do something like a screen shadow of the user's account, without the user knowing.
The boss is concerned that if we don't do something the company will be held liable.
any help would be appreciated
thank you
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

HOW TO: Enable and Apply Security Auditing in Windows 2000;en-us;Q300549 

HOW TO: Set, View, Change, or Remove Auditing for a File or Folder in Windows 2000;en-us;Q301640
may the these products help u.....but they are not free ;)
I know you may not be completely at liberty to say, but what resource on your network is this user using to perform the alleged illegal activities?

Simply shadowing him/her isn't going to save you legally. Auditing as CrazyOne is suggesting is an excellent method if the user is accessing files or performing malicious activities against your network-- but are still excellent tools in building your case. But if this illegal activity is taking place using the Internet or email, shadowing nor auditing will be sufficient. [There are logs for both that can be used for AAA.]

Before getting too deep into this, I highly recommend setting up a company approved logon message warning all users that all use of company computers are subject to monitoring and that illegal and/or improper use will result in disciplinary action. And having users sign off on an acceptable use policy via HR would be meaningful as well. Of course, I realize that all of this would probably alert your suspect, but it is good for future reference and is the kind of stuff that will leave you legally up the creek if you try to prosecute this user without it.

A simple solution might be to force all users to change their passwords [or just the department this user is in] as a way of covering up your changing his/her password and snooping for evidence after he/she is gone for the day. If they're not clever enough they will have left IE histories, cookies, sent or deleted items in Outlook, etc.

Bottomline is this: If you boss has enough suspicion to believe that the user is really up to something, any intervention he takes is justified-- this is company equipment. Clandestine stuff like spyware seems cool, but it's not gonna hold water in a legal battle.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

Although you could set up a camera that strategically watches what the individual is doing with the computer. Many companies do this now. Some make it obvious in that they don't hide the cameras and other companies find ways to hide the camera. Look at Las Vegas  they have what is commonally known as the eye in the sky watching the gambling floor and other hot spots and watching the employees.

If you make the camera so it is seen then this would probably curtail the individuals desire to continue their ill gotten ways which I would think would be the top priority here. If you are interested in terminating their employeement because of what you suspect they are doing then try and hide the camera in such a way that at least you can see the persons monitor.
Or use something like his

KeyGhost Hardware Key Logger
Also, if you are willing to part with the dosh, you could get Microsoft SMS. This way you have a legitimate tool for other many useful control management tasks, but it also comes with a remote control feature that you can configure to not require the user's intervention. This allows you to effectively watch any session on-screen without the user's knowledge. I used this in an incident similar to yours as part of a larger case being built. But I have to stress that you have to have your legal ducks already in a row and use other presentable, unalterable, accounting logs. Think lawsuit.
microcrashboyAuthor Commented:
I have been assured by the boss that all legal matters have been address, my mistake all employees do sign disclaimer and are warned about actions, with using company equipment for other than bussiness use.

It is somehting to be honest I have bee seriously dreading and hate doing, but I am as they say in the middle! This is the part of the job I hate.

The password is not an issue it is downloading well illicit materials and sending via e-mail he figures, because we have had compalints, but nothing substaintial yet.
microcrashboyAuthor Commented:
oh and...

Camera I would prefer to completely avoid I am trying to use all my influnce to convince the boss to avoid doing this.

It always takes one person to wreck the privileges for all.

I feel you. We had a similar situation at one of my locations. Fortunately, the boss understood that "boys will be boys" and we confronted the guy and explained that our primary concern was that the sites that generally posted this material were often harbingers of viruses and malware and that our interest was in protecting the network and not busting him. He was very embarrased and apologetic, and we've not had a problem since.

Another approach to handling this situation delicately would be to purchase some sort of web filtering software like Websense and simply restrict the sites he going to. Surely he won't be bold enough to approach you about sites he can't get to! You can do the same with email filtering software. You could even freeze the mail queue and scan the suspect mail he sends rejecting with NDS reports. Again, it will be unlikely that he will approach you about not being able to send this type of email.

These are all around the way methods that don't address the heart of the situation. This is less a technical issue than it is a business and management issue. Do what I suggested and search his computer after hours and scour his machine for evidence-- if he doesn't suspect you are on to him he will undoubtedly be a bit careless. Then have management confront him with the knowledge of his activities. Suggest that they warn him and tell him that his activities are being closely monitored and documented [even if they aren't-- he won't know fully what you are capable of monitoring or how]. And then follow through with termination if there is ever evidence of such a breech again.

Point is you are being used as a tool of management. If they want you to be able to do this type of routine monitoring [which you should!] then the resources have to be allocated.

I'm sure others will be able to offer you a ton of solutions to install to trap this malcontent, so you can take it from there.

Best of luck.
microcrashboyAuthor Commented:
thanx for the advice much appreciated :)

Thanks for the consideration! What ended up happening?
microcrashboyAuthor Commented:
Boss caught him bye bye he go :)
Play with fire, expect to get burned!
Best of luck!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.