Solved

How to find out when a particular domain user logs on

Posted on 2012-04-11
7
259 Views
Last Modified: 2012-04-13
I'm trying to remove an older account from regular use in order to better secure my network.  Prior staff had gotten in the habit of using the same domain admin account for many services and applications and I'd like to clean it up.  I'd like to find a way to see where this account is being used without having to examine every single service and application that we use.

We're running a server 2008 domain with two DCs.  What would be the easiest way to find out where this account is being used?  I was thinking the event logs would be a good place to start but I am not very familiar with some of the more advanced events with server 2008.  If there is a tool for this purpose that I could run and save time that would be even better.
0
Comment
Question by:First Last
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 15

Expert Comment

by:wantabe2
ID: 37834227
Here's what you need & it works like a charm:

http://www.thycotic.com/products_secretserver_serviceaccounts.html


Good luck!
0
 
LVL 1

Author Comment

by:First Last
ID: 37834396
Ok, this looks interesting so I'm trying out the demo.  I was hoping to find something free since this is a one time event but the demo might be enough to do the job.  Thanks for the assist!
0
 
LVL 1

Author Comment

by:First Last
ID: 37834440
It looks like the demo does not include ad integration so I won't be able to test with it.  Any others I could try that you might know of?
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 2

Expert Comment

by:un0ri
ID: 37834571
0
 
LVL 2

Expert Comment

by:un0ri
ID: 37834609
This tool looks promising with free non-commercial use

http://www.sysoptools.com/ad-query.aspx

You could also lock the account out (or change password) and then run this to identify where the account is trying to authenticate from.

http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=18465

And if you want to go full blown extreme

http://www.windowsitpro.com/article/john-savills-windows-faqs/how-can-i-limit-the-number-of-allowed-concurrent-sessions-per-user-in-an-active-directory-ad-domain-

Although this is specifically to limit logons it would also act as a tool to see where a user is authenticating from.
0
 
LVL 1

Author Comment

by:First Last
ID: 37837267
@un0ri - What I really need to know is where the account is being used rather then when since I know its running a variety of services throughout the day

I tried ad-query but that only gives detailed info about the account but nothing about where it is being used

I can't really lock it out since it would bring down many production servers/services.  What I really need is something that tells me each time the account authenticates against a DC with a timestamp and an originating IP address so I can track down each instance.
0
 
LVL 2

Accepted Solution

by:
un0ri earned 500 total points
ID: 37837415
In which case you may want to look at setting up some AD auditing.  Details in Microsoft KB

http://support.microsoft.com/kb/814595

Once you have it set up you can target specific users for more verbose logging.
0

Featured Post

Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question