How to find out when a particular domain user logs on

I'm trying to remove an older account from regular use in order to better secure my network.  Prior staff had gotten in the habit of using the same domain admin account for many services and applications and I'd like to clean it up.  I'd like to find a way to see where this account is being used without having to examine every single service and application that we use.

We're running a server 2008 domain with two DCs.  What would be the easiest way to find out where this account is being used?  I was thinking the event logs would be a good place to start but I am not very familiar with some of the more advanced events with server 2008.  If there is a tool for this purpose that I could run and save time that would be even better.
First LastAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Here's what you need & it works like a charm:

Good luck!
First LastAuthor Commented:
Ok, this looks interesting so I'm trying out the demo.  I was hoping to find something free since this is a one time event but the demo might be enough to do the job.  Thanks for the assist!
First LastAuthor Commented:
It looks like the demo does not include ad integration so I won't be able to test with it.  Any others I could try that you might know of?
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Daryl BamforthTechnical ExpertCommented:
Daryl BamforthTechnical ExpertCommented:
This tool looks promising with free non-commercial use

You could also lock the account out (or change password) and then run this to identify where the account is trying to authenticate from.

And if you want to go full blown extreme

Although this is specifically to limit logons it would also act as a tool to see where a user is authenticating from.
First LastAuthor Commented:
@un0ri - What I really need to know is where the account is being used rather then when since I know its running a variety of services throughout the day

I tried ad-query but that only gives detailed info about the account but nothing about where it is being used

I can't really lock it out since it would bring down many production servers/services.  What I really need is something that tells me each time the account authenticates against a DC with a timestamp and an originating IP address so I can track down each instance.
Daryl BamforthTechnical ExpertCommented:
In which case you may want to look at setting up some AD auditing.  Details in Microsoft KB

Once you have it set up you can target specific users for more verbose logging.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.