How to find out when a particular domain user logs on

I'm trying to remove an older account from regular use in order to better secure my network.  Prior staff had gotten in the habit of using the same domain admin account for many services and applications and I'd like to clean it up.  I'd like to find a way to see where this account is being used without having to examine every single service and application that we use.

We're running a server 2008 domain with two DCs.  What would be the easiest way to find out where this account is being used?  I was thinking the event logs would be a good place to start but I am not very familiar with some of the more advanced events with server 2008.  If there is a tool for this purpose that I could run and save time that would be even better.
First LastAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

Daryl BamforthConnect With a Mentor Technical ExpertCommented:
In which case you may want to look at setting up some AD auditing.  Details in Microsoft KB

Once you have it set up you can target specific users for more verbose logging.
Here's what you need & it works like a charm:

Good luck!
First LastAuthor Commented:
Ok, this looks interesting so I'm trying out the demo.  I was hoping to find something free since this is a one time event but the demo might be enough to do the job.  Thanks for the assist!
Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to and use offer code ‘EXPERTS’ to get 10% off your first purchase.

First LastAuthor Commented:
It looks like the demo does not include ad integration so I won't be able to test with it.  Any others I could try that you might know of?
Daryl BamforthTechnical ExpertCommented:
Daryl BamforthTechnical ExpertCommented:
This tool looks promising with free non-commercial use

You could also lock the account out (or change password) and then run this to identify where the account is trying to authenticate from.

And if you want to go full blown extreme

Although this is specifically to limit logons it would also act as a tool to see where a user is authenticating from.
First LastAuthor Commented:
@un0ri - What I really need to know is where the account is being used rather then when since I know its running a variety of services throughout the day

I tried ad-query but that only gives detailed info about the account but nothing about where it is being used

I can't really lock it out since it would bring down many production servers/services.  What I really need is something that tells me each time the account authenticates against a DC with a timestamp and an originating IP address so I can track down each instance.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.