Solved

How to find out when a particular domain user logs on

Posted on 2012-04-11
7
258 Views
Last Modified: 2012-04-13
I'm trying to remove an older account from regular use in order to better secure my network.  Prior staff had gotten in the habit of using the same domain admin account for many services and applications and I'd like to clean it up.  I'd like to find a way to see where this account is being used without having to examine every single service and application that we use.

We're running a server 2008 domain with two DCs.  What would be the easiest way to find out where this account is being used?  I was thinking the event logs would be a good place to start but I am not very familiar with some of the more advanced events with server 2008.  If there is a tool for this purpose that I could run and save time that would be even better.
0
Comment
Question by:First Last
  • 3
  • 3
7 Comments
 
LVL 15

Expert Comment

by:wantabe2
ID: 37834227
Here's what you need & it works like a charm:

http://www.thycotic.com/products_secretserver_serviceaccounts.html


Good luck!
0
 
LVL 1

Author Comment

by:First Last
ID: 37834396
Ok, this looks interesting so I'm trying out the demo.  I was hoping to find something free since this is a one time event but the demo might be enough to do the job.  Thanks for the assist!
0
 
LVL 1

Author Comment

by:First Last
ID: 37834440
It looks like the demo does not include ad integration so I won't be able to test with it.  Any others I could try that you might know of?
0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 
LVL 2

Expert Comment

by:un0ri
ID: 37834571
0
 
LVL 2

Expert Comment

by:un0ri
ID: 37834609
This tool looks promising with free non-commercial use

http://www.sysoptools.com/ad-query.aspx

You could also lock the account out (or change password) and then run this to identify where the account is trying to authenticate from.

http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=18465

And if you want to go full blown extreme

http://www.windowsitpro.com/article/john-savills-windows-faqs/how-can-i-limit-the-number-of-allowed-concurrent-sessions-per-user-in-an-active-directory-ad-domain-

Although this is specifically to limit logons it would also act as a tool to see where a user is authenticating from.
0
 
LVL 1

Author Comment

by:First Last
ID: 37837267
@un0ri - What I really need to know is where the account is being used rather then when since I know its running a variety of services throughout the day

I tried ad-query but that only gives detailed info about the account but nothing about where it is being used

I can't really lock it out since it would bring down many production servers/services.  What I really need is something that tells me each time the account authenticates against a DC with a timestamp and an originating IP address so I can track down each instance.
0
 
LVL 2

Accepted Solution

by:
un0ri earned 500 total points
ID: 37837415
In which case you may want to look at setting up some AD auditing.  Details in Microsoft KB

http://support.microsoft.com/kb/814595

Once you have it set up you can target specific users for more verbose logging.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
exchange 2013 search-mailbox question 7 42
windows 10 versions 3 34
EXCHANGE, ACTIVE DIRECTORY 1 32
Where to find file on SBS 2008 4 25
A procedure for exporting installed hotfix details of remote computers using powershell
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

778 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question