I need some sort of general brain storming from you experts around user activity. Essentially there is a (slight/potential) allegation someone may have compromised another users domain username/password and logged into the domain from a PC with those credentials. In terms of “what they did” with that account what areas would you look to for clues, I could do with just a top 5 areas you’d review to see what kind of activity took place. Internet activity is the obvious but potentially many many more. If of any use the machines are XP.