Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Regarding Login Script In Windows NT

Posted on 2005-02-25
Medium Priority
Last Modified: 2010-04-11

My whole network is Windows NT based. I need to know is it possible to make any login script which records all user activities. Because I have appointed some account operators and domain admins and I want to know their activities because earlier some issues happened and i also checked in event viewer but nothing was there. So to keep track of all user activites I want some script which track if someone user change anything in Usrmgr in windows nt it should record all things.
i would appreciate if someone could assist me on this.

Thanks and Regards.

Question by:ask_anurag
LVL 18

Accepted Solution

Steve McCarthy, MCSE, MCSA, MCP x8, Network+, i-Net+, A+, CIWA, CCNA, FDLE FCIC, HIPAA Security Officer earned 500 total points
ID: 13404670
You could setup Auditing on your network to record any changes.  

Auditing in Windows NT causes the audited events to appear in the Security Event Log. It alerts you to a potential security problem, as apposed to preventing it. You can audit:

. Log on/Log off: Logs both local and remote resource logins (tips 264 and 749).
. File and Object Access: NTFS Files and folders, and printer access. Use NT Explorer to select the File(s)/Folder(s).
. User and Group Management: Any user accounts or groups created, changed, renamed, dis/enabled or deleted and password activity.
. Security Policy Changes: Any changes to user rights or audit policies.
. Restart, Shutdown, And System: Logs shutdowns and restarts for the local workstation.
. Process Tracking: Tracks program activation, handle duplication, indirect object access, and process exit.

To enable auditing, you must be logged on as a member of the local Administrators group (Domain Admins are members). In User Manager (User Manager for Domains if logged onto the PDC), click Policies / Audit. Check the options you want to audit and click OK.

To enable File and Object Access auditing, you need to select the objects being audited. To do this, right-click an object (e.g., a file, directory, or printer). Select Properties, and then select the Security tab. Click the Auditing button. Different events will be available depending on the type of object selected. Auditing is available only for NTFS objects; FAT does not allow for object auditing.

Auditing can create large amounts of system overhead, especially if the event that is being monitored occurs frequently (e.g., file access). A common mistake is to audit the success and failure of all events. This can dramatically slow a system down. Audit only the events that are truly necessary to track a problem or security issue, or to test a piece of equipment or hardware.

You will probably want to increase the size of your Security log for this.


Assisted Solution

kruptos earned 500 total points
ID: 13408976
I would set up auditing and make the permissions on the audit logs so only you have access to read or modify them. This will prevent them from deleting them. You can still set them up for read only access if they still need to access them.

Expert Comment

ID: 13410984
samccarthy is correct - set up auditing on the domain by using User Manager for Domains.  Change the permissions on the event logs so that only you or a select few can modify or delete them, or set up a script to copy the events to a secure location.  Definately increase the sizes of the log files so that it doesn't overwrite the logs too quickly.  You should be able to see any account changes made by screening the security log on the PDC.

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s a season to be thankful, and we’re thankful for users like you who engage on site, solve technology problems, and network with others in the industry. What tech are we most thankful for? Keep reading.
Although free tools can be helpful to a limited extent, it’s better to stick to paid versions for business use.
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question