Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

How to find out when a particular domain user logs on

Posted on 2012-04-11
7
Medium Priority
?
263 Views
Last Modified: 2012-04-13
I'm trying to remove an older account from regular use in order to better secure my network.  Prior staff had gotten in the habit of using the same domain admin account for many services and applications and I'd like to clean it up.  I'd like to find a way to see where this account is being used without having to examine every single service and application that we use.

We're running a server 2008 domain with two DCs.  What would be the easiest way to find out where this account is being used?  I was thinking the event logs would be a good place to start but I am not very familiar with some of the more advanced events with server 2008.  If there is a tool for this purpose that I could run and save time that would be even better.
0
Comment
Question by:First Last
  • 3
  • 3
7 Comments
 
LVL 15

Expert Comment

by:wantabe2
ID: 37834227
Here's what you need & it works like a charm:

http://www.thycotic.com/products_secretserver_serviceaccounts.html


Good luck!
0
 
LVL 1

Author Comment

by:First Last
ID: 37834396
Ok, this looks interesting so I'm trying out the demo.  I was hoping to find something free since this is a one time event but the demo might be enough to do the job.  Thanks for the assist!
0
 
LVL 1

Author Comment

by:First Last
ID: 37834440
It looks like the demo does not include ad integration so I won't be able to test with it.  Any others I could try that you might know of?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 5

Expert Comment

by:Daryl Bamforth
ID: 37834571
0
 
LVL 5

Expert Comment

by:Daryl Bamforth
ID: 37834609
This tool looks promising with free non-commercial use

http://www.sysoptools.com/ad-query.aspx

You could also lock the account out (or change password) and then run this to identify where the account is trying to authenticate from.

http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=18465

And if you want to go full blown extreme

http://www.windowsitpro.com/article/john-savills-windows-faqs/how-can-i-limit-the-number-of-allowed-concurrent-sessions-per-user-in-an-active-directory-ad-domain-

Although this is specifically to limit logons it would also act as a tool to see where a user is authenticating from.
0
 
LVL 1

Author Comment

by:First Last
ID: 37837267
@un0ri - What I really need to know is where the account is being used rather then when since I know its running a variety of services throughout the day

I tried ad-query but that only gives detailed info about the account but nothing about where it is being used

I can't really lock it out since it would bring down many production servers/services.  What I really need is something that tells me each time the account authenticates against a DC with a timestamp and an originating IP address so I can track down each instance.
0
 
LVL 5

Accepted Solution

by:
Daryl Bamforth earned 2000 total points
ID: 37837415
In which case you may want to look at setting up some AD auditing.  Details in Microsoft KB

http://support.microsoft.com/kb/814595

Once you have it set up you can target specific users for more verbose logging.
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

876 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question