Can you monitor server logins for all accounts that are not on the local network?
I want to be able to know what accounts are login/logged out from outside the local network. Is there a way to send alerts or log this? I know event viewer logs all types of logon/logoff and their login type so I assume someone out there has a app that monitors this.
Also, can I monitor the IP, computer name, or anything else with external logon/logoffs. Same goes for all logons that are unsuccessful.
Also, can I monitor the IP, computer name, or anything else with external logon/logoffs. Same goes for all logons that are unsuccessful.
Cris Hanna
essemtially you want to enable auditing...do you have SBS 2003 or SBS 2008?
ASKER
SBS 2003
HOW TO: Audit Active Directory Objects in Windows Server 2003
http://support.microsoft.com/kb/814595
This step-by-step article describes how to use Windows Server 2003 auditing to track user activities and system-wide events in Active Directory.
http://support.microsoft.com/kb/814595
This step-by-step article describes how to use Windows Server 2003 auditing to track user activities and system-wide events in Active Directory.
ASKER
Great, I won't be able to get to this today, I will let you know when I get a chance.
ASKER
ok I looked intot he auditing. I'm able to audit specific accounts but there is so much that I can choose from that I have no idea what to choose. Basically, all I want to monitor is whether or not someone has success or fails to login with the administrator account. Is this logged in the event viewer > security? Is it possible to do this in its own place?
Event ID 529 is logged when there are unsuccessful login, regardless of the account
But in auditing you select to just audit logon events
Otherwise you are looking at 3rd party tools
Is there something going on that you're trying to figure out.?
But in auditing you select to just audit logon events
Otherwise you are looking at 3rd party tools
Is there something going on that you're trying to figure out.?
ASKER
we had an issue in the past with a prior employee but I just thought it would be nice to know if someone accessed the server successfully that wasn't supposed to. I could sort through the event viewer every day but thats just not worth it since we aren't having any issues. Ideally, I would want to be sent an email if someone was able to login to certain accounts during off-peak hours.
you might take a look at this question and the Assisted solution as one option
https://www.experts-exchange.com/questions/22011987/Monitoring-logon-and-logoff-times-of-network-users.html
So basically it's going to come down to writing something or purchasing a third party product designed to do something more in depth..
https://www.experts-exchange.com/questions/22011987/Monitoring-logon-and-logoff-times-of-network-users.html
So basically it's going to come down to writing something or purchasing a third party product designed to do something more in depth..
ASKER
Ok, where do I edit the script? Here is a copy and paste of what I am talking about.
-I add a few lines to the users logon script to create a file which records UserName, ComputerName, date and time in a simple single line, and the IP from which they connected. As written below it will create the log/text file in \\Server\Logs\LogOns.Log and the entries will look like:
Log File
Log On: UserName ComputerName Fri 09/30/20 8:07
TCP 10.0.1.100:3389 10.0.33.100:4267 ESTABLISHED
{Where 10.0.1.100 is the computer IP and 10.0.33.100 is the remote user's IP}
--------------------------
:Logging
If Exist "\\Server\Logs\LogOns.Log"
Echo Log File > "\\Server\Logs\LogOns.Log"
:START
Echo Log On: %USERNAME% %COMPUTERNAME% %Date:~0,12% %Time:~0,5% >> "\\Server\Logs\LogOns.Log"
Netstat -an |find "3389" |find /I "established" >> "\\Server\Logs\LogOns.Log"
--------------------------
Note the user will need write privileges for the \\Server\Logs\LogOns.Log folder, or at least the file name.
-I add a few lines to the users logon script to create a file which records UserName, ComputerName, date and time in a simple single line, and the IP from which they connected. As written below it will create the log/text file in \\Server\Logs\LogOns.Log and the entries will look like:
Log File
Log On: UserName ComputerName Fri 09/30/20 8:07
TCP 10.0.1.100:3389 10.0.33.100:4267 ESTABLISHED
{Where 10.0.1.100 is the computer IP and 10.0.33.100 is the remote user's IP}
--------------------------
:Logging
If Exist "\\Server\Logs\LogOns.Log"
Echo Log File > "\\Server\Logs\LogOns.Log"
:START
Echo Log On: %USERNAME% %COMPUTERNAME% %Date:~0,12% %Time:~0,5% >> "\\Server\Logs\LogOns.Log"
Netstat -an |find "3389" |find /I "established" >> "\\Server\Logs\LogOns.Log"
--------------------------
Note the user will need write privileges for the \\Server\Logs\LogOns.Log folder, or at least the file name.
ASKER
All I can do is choose success or fail under "Audit account logon events" - not sure where I can edit the script.
ASKER
Also, can I do this for a single account? I don't want all logs for every account on the domain, just the admin account.
No, with the built in tools, it's an all or nothing situation.
There are plenty of 3rd party tools available that can give you more granular reporting...that may be the way you'll have to go
There are plenty of 3rd party tools available that can give you more granular reporting...that may be the way you'll have to go
ASKER
Okay, do you have one in mind that would is good?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It works but its expensive...