Link to home
Start Free TrialLog in
Avatar of Neal_876
Neal_876Flag for United States of America

asked on

Run As command

Is it possible to differentiate when a user use the run as command if that user used a regular user credentials or an admin credentials? I know when you use the run as command it is logged with ID 528 …..
Avatar of ubound
ubound

You don't say your environment (c++, batch file, etc).

Does this help: http://social.msdn.microsoft.com/Forums/en/vcgeneral/thread/3a588937-a138-4ff2-a626-f4615af5a83c
Avatar of Neal_876

ASKER

Windows server 2003/xp operating systems environment. Just need to be able to know the difference between a regular user or a user with admin rights use this command..... What event is generated in the event log for the regular user and the user with admin rights?

The link about is using a script.....
Any thoughts.......................?
Hi Neil,

What does your event log say?
Please see below......

Successful Logon:
       User Name:      abcd
       Domain:            Domain Name
       Logon ID:            (0x0,0x6F9FAF)
       Logon Type:      2
       Logon Process:      seclogon - this tells me that run as command was used
       Authentication Package:      Negotiate
       Workstation Name:      Computer name
       Logon GUID:      {5aedb061-d8a

This is event ID: 528 under the Logon/logoff Category

I would like to be able to tell if the Run As command was done using a admin or a regular user account. Is this possible?


Thank you!
SOLUTION
Avatar of Russell_Venable
Russell_Venable
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Russell_Venable:
Thank you for the information above but it is a bit more than what I am looking for.
I just want to be able to check the event log on the server that the run as command was used and be able to tell  what privilege the logged on use used to run the Run As command whether admin or regular use privilege.
If I can find the ID that is generated that tells me which kind of account was used I can then monitor such event ID or logon process.
Please let me know your thoughts….
lol, better more than less. Yes, but if you have this information you can lookup privileges for a account, check if user is in administrators group/is a administrator. Admins are always 500 for full and 1001 for sub admins. If you check the end of a users SID you will know what I am talking about.
Is this the only way to accomplish this task? I rather not run a script, because this will be an ungoing item.
Well if you truly want to do this the long way the. You can select the 'OU', select the user and select properties and look at the objectSID and ObjectGUiD properties. That is a lot of trouble...in the long run if you ask me.

Well the only reason I suggest a script is it helps translate some of the computer lingo for you so you can track the user down a lot easier and I wanted you to understand how it works. The more you know the better you will understand how it works and how to get it done easier.
I appreciate your help but I think you may not understand what I am try to accomplish.

I just want to monitor the local event security events on a particular server namely event ID 528 with the logon process of "seclogon" AKA the Run As command.

When a user run this command on a server ID 528 is genarated in the local security  event log on the server. I would like to be able to know if the user executed the Run As command as a local user or admin user.

I also noticed that when the Run As command gets executed there is also an event ID of 576 - privilege used but this is the same ID that gets genarated when I use a regular user or a user with admin credentails.

Just want to know if there is a event ID that I am not seeing that can tell the differents between the users?
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial

I do not doubt you, I understand what you are saying but I was looking for something else if possible.
I do not have a specific user in mind, this could be any domain user; just wanted to know how to differentiate the logon process.
 
Well if you need others to join in I'd suggest you add some tags to this. I gave it my best. Good luck Neil.
Thanks  for your help!