Regarding Login Script In Windows NT

Posted on 2005-02-25
Medium Priority
Last Modified: 2010-04-11

My whole network is Windows NT based. I need to know is it possible to make any login script which records all user activities. Because I have appointed some account operators and domain admins and I want to know their activities because earlier some issues happened and i also checked in event viewer but nothing was there. So to keep track of all user activites I want some script which track if someone user change anything in Usrmgr in windows nt it should record all things.
i would appreciate if someone could assist me on this.

Thanks and Regards.

Question by:ask_anurag
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 16

Accepted Solution

samccarthy earned 500 total points
ID: 13404670
You could setup Auditing on your network to record any changes.  

Auditing in Windows NT causes the audited events to appear in the Security Event Log. It alerts you to a potential security problem, as apposed to preventing it. You can audit:

. Log on/Log off: Logs both local and remote resource logins (tips 264 and 749).
. File and Object Access: NTFS Files and folders, and printer access. Use NT Explorer to select the File(s)/Folder(s).
. User and Group Management: Any user accounts or groups created, changed, renamed, dis/enabled or deleted and password activity.
. Security Policy Changes: Any changes to user rights or audit policies.
. Restart, Shutdown, And System: Logs shutdowns and restarts for the local workstation.
. Process Tracking: Tracks program activation, handle duplication, indirect object access, and process exit.

To enable auditing, you must be logged on as a member of the local Administrators group (Domain Admins are members). In User Manager (User Manager for Domains if logged onto the PDC), click Policies / Audit. Check the options you want to audit and click OK.

To enable File and Object Access auditing, you need to select the objects being audited. To do this, right-click an object (e.g., a file, directory, or printer). Select Properties, and then select the Security tab. Click the Auditing button. Different events will be available depending on the type of object selected. Auditing is available only for NTFS objects; FAT does not allow for object auditing.

Auditing can create large amounts of system overhead, especially if the event that is being monitored occurs frequently (e.g., file access). A common mistake is to audit the success and failure of all events. This can dramatically slow a system down. Audit only the events that are truly necessary to track a problem or security issue, or to test a piece of equipment or hardware.

You will probably want to increase the size of your Security log for this.


Assisted Solution

kruptos earned 500 total points
ID: 13408976
I would set up auditing and make the permissions on the audit logs so only you have access to read or modify them. This will prevent them from deleting them. You can still set them up for read only access if they still need to access them.

Expert Comment

ID: 13410984
samccarthy is correct - set up auditing on the domain by using User Manager for Domains.  Change the permissions on the event logs so that only you or a select few can modify or delete them, or set up a script to copy the events to a secure location.  Definately increase the sizes of the log files so that it doesn't overwrite the logs too quickly.  You should be able to see any account changes made by screening the security log on the PDC.

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
The well known Cerber ransomware continues to spread this summer through spear phishing email campaigns targeting enterprises. Learn how it easily bypasses traditional defenses - and what you can do to protect your data.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question