Windows Password


I have questions.

1. Windows 2003 & 2008 there any log file exists, which have information about Administrator password & RDP port changed from which date/time/IP/etc.

2. Any application which keep these logs and send email to admin when server access/password/port change.

Shamsul KamalJunior TechAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Auditing policy can handle the event log entry into the security log on a change.
Slunk can be used to aggregate data.
Windows 2008 can have eventlog forwarding events.

Installing snmp and then configuring the eventlog to snmp (evntwin) that will generate snmptrapd to an snmptrap server.

The snmptrapd server can be configured to generate an email when a specific type of alert comes in.

Optimal solution is to limit the number of administrators/users who can change administrators password.
Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
There are logs but by default all auditing is not turned on.  What you could do is turn on auditing as from now on, keep proper logs.  Splunk or some other log consolidation software could be used for consolidating logs from various systems.
Shamsul KamalJunior TechAuthor Commented:
Hi  mnkhawaja,

Could you please share its process & method ?

Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
The way Splunk works is as follows:

1. Install Splunk on a server
2. Install Splunk Light forwarder on your DC and configure it to send event logs to Splunk Server
3. Do the same on your RDS server
4. Once done, you should be able to see events in the Splunk Server
5. You could create dashboards, queries (i.e. log type (application, security, etc.), source (server), event ID, etc.)

Please refer to Splunk documentation and it is straight forward.  I don't have one running right now and I haven't used it for few months.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.