Neal_876
asked on
Run As command
Is it possible to differentiate when a user use the run as command if that user used a regular user credentials or an admin credentials? I know when you use the run as command it is logged with ID 528 …..
ASKER
Windows server 2003/xp operating systems environment. Just need to be able to know the difference between a regular user or a user with admin rights use this command..... What event is generated in the event log for the regular user and the user with admin rights?
The link about is using a script.....
The link about is using a script.....
ASKER
Any thoughts.................. .....?
Hi Neil,
What does your event log say?
What does your event log say?
ASKER
Please see below......
Successful Logon:
User Name: abcd
Domain: Domain Name
Logon ID: (0x0,0x6F9FAF)
Logon Type: 2
Logon Process: seclogon - this tells me that run as command was used
Authentication Package: Negotiate
Workstation Name: Computer name
Logon GUID: {5aedb061-d8a
This is event ID: 528 under the Logon/logoff Category
I would like to be able to tell if the Run As command was done using a admin or a regular user account. Is this possible?
Thank you!
Successful Logon:
User Name: abcd
Domain: Domain Name
Logon ID: (0x0,0x6F9FAF)
Logon Type: 2
Logon Process: seclogon - this tells me that run as command was used
Authentication Package: Negotiate
Workstation Name: Computer name
Logon GUID: {5aedb061-d8a
This is event ID: 528 under the Logon/logoff Category
I would like to be able to tell if the Run As command was done using a admin or a regular user account. Is this possible?
Thank you!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Russell_Venable:
Thank you for the information above but it is a bit more than what I am looking for.
I just want to be able to check the event log on the server that the run as command was used and be able to tell what privilege the logged on use used to run the Run As command whether admin or regular use privilege.
If I can find the ID that is generated that tells me which kind of account was used I can then monitor such event ID or logon process.
Please let me know your thoughts….
Thank you for the information above but it is a bit more than what I am looking for.
I just want to be able to check the event log on the server that the run as command was used and be able to tell what privilege the logged on use used to run the Run As command whether admin or regular use privilege.
If I can find the ID that is generated that tells me which kind of account was used I can then monitor such event ID or logon process.
Please let me know your thoughts….
lol, better more than less. Yes, but if you have this information you can lookup privileges for a account, check if user is in administrators group/is a administrator. Admins are always 500 for full and 1001 for sub admins. If you check the end of a users SID you will know what I am talking about.
ASKER
Is this the only way to accomplish this task? I rather not run a script, because this will be an ungoing item.
Well if you truly want to do this the long way the. You can select the 'OU', select the user and select properties and look at the objectSID and ObjectGUiD properties. That is a lot of trouble...in the long run if you ask me.
Well the only reason I suggest a script is it helps translate some of the computer lingo for you so you can track the user down a lot easier and I wanted you to understand how it works. The more you know the better you will understand how it works and how to get it done easier.
Well the only reason I suggest a script is it helps translate some of the computer lingo for you so you can track the user down a lot easier and I wanted you to understand how it works. The more you know the better you will understand how it works and how to get it done easier.
ASKER
I appreciate your help but I think you may not understand what I am try to accomplish.
I just want to monitor the local event security events on a particular server namely event ID 528 with the logon process of "seclogon" AKA the Run As command.
When a user run this command on a server ID 528 is genarated in the local security event log on the server. I would like to be able to know if the user executed the Run As command as a local user or admin user.
I also noticed that when the Run As command gets executed there is also an event ID of 576 - privilege used but this is the same ID that gets genarated when I use a regular user or a user with admin credentails.
Just want to know if there is a event ID that I am not seeing that can tell the differents between the users?
I just want to monitor the local event security events on a particular server namely event ID 528 with the logon process of "seclogon" AKA the Run As command.
When a user run this command on a server ID 528 is genarated in the local security event log on the server. I would like to be able to know if the user executed the Run As command as a local user or admin user.
I also noticed that when the Run As command gets executed there is also an event ID of 576 - privilege used but this is the same ID that gets genarated when I use a regular user or a user with admin credentails.
Just want to know if there is a event ID that I am not seeing that can tell the differents between the users?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I do not doubt you, I understand what you are saying but I was looking for something else if possible.
I do not have a specific user in mind, this could be any domain user; just wanted to know how to differentiate the logon process.
Well if you need others to join in I'd suggest you add some tags to this. I gave it my best. Good luck Neil.
ASKER
Thanks for your help!
Does this help: http://social.msdn.microsoft.com/Forums/en/vcgeneral/thread/3a588937-a138-4ff2-a626-f4615af5a83c