I have 5 terminal servers that allow my plant workers to use thin clients to logon.
Each department has a workstation.
So say i have a windows department, with 8 employees that work in it.
the username is different for each department, with a generic password for all departments.
Recently i have had some reports of one department that is no 24 hours logon being used to probe our network.
I know the username and the password and to which termial server they are logging.
What i want to try and do, is catch them "in the act" so to speak.
I can turn on secuity logging on the domain and monitor for logon times, thats my first step.
Are there any other tips or tricks that will aid me in dealing with my offender?