Configure auditing of Administrator account logon attempts (to track hacking attempts)

Posted on 2007-08-09
Last Modified: 2010-05-18

How can i Configure auditing of Administrator account logon attempts (to track hacking attempts)

Question by:bsharath
    LVL 26

    Accepted Solution

    Open Active Directory Users and Computers. Select Advanced Features from the View menu.

    Right Click on Administrator account -> Select Properties -> select Security.  then Advanced, there is an auditing tab there where you can set the Auditing.

    Have a look at following post:
    Securing the Domain Administrator Account:
    LVL 11

    Author Comment

    Already in the administrator Auditing there is Everyone mentioned.Is that correct.

    Where can i see the logs.Is there a way to get these audits only to a file.
    LVL 70

    Assisted Solution


    It is good practice NOT to use the administrator account and to rename it so that someone trying to hack your system does not know the name of the administrator account.

    All administrators should have a unique user account with admin privilages  so you can track who is doing what - and you need to monitor these as well.

    Also consider making the "Administrators" "enterprise administrators" and "domain administrators" restricted groups so user account cannot be added to these groups without specific consent.

    Also be aware of the differences between Audit Logon/Logoff and Audit Account Logon.
    Account Logon" isn't really about logon, it's about credential validation.

     Audit Logon/Logoff generates events for the creation and destruction of logon sessions.  These events occur on the machine which was accessed.  In the case of an interactive logon, these would be generated on the machine which was logged on to.  In the case of network logon, for example, accessing a share, these events would be generated on the machine hosting the resource that was accessed.

    Audit Account Logon generates events for credential validation. These events occur on the machine which is authoritative for the credentials.  For domain accounts, the domain controller is authoritative. For local accounts, the local machine is authoritative.  Since domain accounts are used much more frequently in enterprise environments than local accounts, most of the Account Logon events in a domain environment occur on the domain controllers which are authoritative for the domain accounts.  However, these events can occur on any machine, and may occur in conjunction with or on separate machines from logon/logoff events.

    LVL 13

    Expert Comment

    The audited events appear in the Security Event log.  You can save this log out to a file, but you cannot redirect the auditing to a specific file that I know of.  (Please understand that I'm not the brightest star in the sky, so maybe someone else can weigh in.)

    If you want to capture specific events such as logins with the administrator account you will probably need a specific application to do so.  I know that Microsoft Operations Manager (now Service Console Operations Manager) will do this.  I'm sure there are other products that will work just as well.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Free Trending Threat Insights Every Day

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Suggested Solutions

    This is my 3rd article on SCCM in recent weeks, the 1st ( dealing with installat…
    Many admins will agree: WSUS is is a nice invention but using it on the client side when updating a newly installed computer is still time consuming as you have to do several reboots and furthermore, the procedure of installing updates, rebooting an…
    Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
    In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now