Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Can you monitor server logins for all accounts that are not on the local network?

Posted on 2011-02-28
15
Medium Priority
?
289 Views
Last Modified: 2012-05-11
I want to be able to know what accounts are login/logged out from outside the local network. Is there a way to send alerts or log this? I know event viewer logs all types of logon/logoff and their login type so I assume someone out there has a app that monitors this.

Also, can I monitor the IP, computer name, or anything else with external logon/logoffs. Same goes for all logons that are unsuccessful.
0
Comment
Question by:rpmccly
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 6
15 Comments
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 35003851
essemtially you want to enable auditing...do you have SBS 2003 or SBS 2008?
0
 
LVL 1

Author Comment

by:rpmccly
ID: 35006730
SBS 2003
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 35006791
HOW TO: Audit Active Directory Objects in Windows Server 2003
http://support.microsoft.com/kb/814595
This step-by-step article describes how to use Windows Server 2003 auditing to track user activities and system-wide events in Active Directory.

0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 1

Author Comment

by:rpmccly
ID: 35006837
Great, I won't be able to get to this today, I will let you know when I get a chance.
0
 
LVL 1

Author Comment

by:rpmccly
ID: 35021957
ok I looked intot he auditing. I'm able to audit specific accounts but there is so much that I can choose from that I have no idea what to choose. Basically, all I want to monitor is whether or not someone has success or fails to login with the administrator account. Is this logged in the event viewer > security? Is it possible to do this in its own place?
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 35022095
Event ID 529 is logged when there are unsuccessful login, regardless of the account
But in auditing you select to just audit logon events

Otherwise you are looking at 3rd party tools

Is there something going on that you're trying to figure out.?
0
 
LVL 1

Author Comment

by:rpmccly
ID: 35022216
we had an issue in the past with a prior employee but I just thought it would be nice to know if someone accessed the server successfully that wasn't supposed to. I could sort through the event viewer every day but thats just not worth it since we aren't having any issues. Ideally, I would want to be sent an email if someone was able to login to certain accounts during off-peak hours.
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 35022274
you might take a look at this question and the Assisted solution as one option
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_22011987.html

So basically it's going to come down to writing something or purchasing a third party product designed to do something more in depth..
0
 
LVL 1

Author Comment

by:rpmccly
ID: 35036645
Ok, where do I edit the script? Here is a copy and paste of what I am talking about.

-I add a few lines to the users logon script to create a file which records  UserName, ComputerName, date and time in a simple single line, and the IP from which they connected. As written below it will create the log/text file in \\Server\Logs\LogOns.Log and the entries will look like:
Log File
Log On:  UserName ComputerName  Fri 09/30/20   8:07  
  TCP    10.0.1.100:3389        10.0.33.100:4267        ESTABLISHED
{Where 10.0.1.100 is the computer IP and 10.0.33.100 is the remote user's IP}
---------------------------------------------------------------------------
:Logging
If Exist "\\Server\Logs\LogOns.Log" GoTo START
Echo Log File > "\\Server\Logs\LogOns.Log"
:START
Echo Log On:  %USERNAME% %COMPUTERNAME%  %Date:~0,12%  %Time:~0,5% >> "\\Server\Logs\LogOns.Log"
Netstat  -an  |find  "3389"  |find  /I  "established"  >> "\\Server\Logs\LogOns.Log"
---------------------------------------------------------------------------
Note the user will need write privileges for the \\Server\Logs\LogOns.Log folder, or at least the file name.

0
 
LVL 1

Author Comment

by:rpmccly
ID: 35036652
All I can do is choose success or fail under "Audit account logon events" - not sure where I can edit the script.

0
 
LVL 1

Author Comment

by:rpmccly
ID: 35036658
Also, can I do this for a single account? I don't want all logs for every account on the domain, just the admin account.
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 35037245
No, with the built in tools, it's an all or nothing situation.
There are plenty of 3rd party tools available that can give you more granular reporting...that may be the way you'll have to go
0
 
LVL 1

Author Comment

by:rpmccly
ID: 35037261
Okay, do you have one in mind that would is good?
0
 
LVL 35

Accepted Solution

by:
Cris Hanna earned 2000 total points
ID: 35037354
you can do a google search for "monitor AD logins" and you'll get many results like this one
http://www.manageengine.com/products/ad-manager/index.html
0
 
LVL 1

Author Closing Comment

by:rpmccly
ID: 35149141
It works but its expensive...
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question