Clients using Administrator Password on Network

Hi, I have clients, on the network, who are using the Network Administrator Password for their Windows Login.   Is there:
1. A command prompt command (like netsh) I can use to track down those clients?
2. Is there a piece of software I can eval to track down those clients?

Thanks in advance
Van JohnsonChief Technology OfficerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Bryant SchaperCommented:
change the password and see who screams, AD will show you the workstation they logged in from in the event log.  Small network, you could use manageengine ad audit/manager on a free trial and run a report.
Steven CarnahanNetwork ManagerCommented:
Good security practice is to disable the built-in Administrator account.  Disabled it is still useable for Safe Mode and Recovery Console.  

Anyone that needs Administrative permissions should have two accounts. One for administrative functions and another user account for day to day use such as reading email, browsing the web, etc.

Based on how serious you take network security, this is a worst-case-scenario. There will be people that would say your domain is now lost, security-wise, because you will not know whether these hobby admins had malicious intent and established some backdoors they could use to regain power even after you change the password.

Finding out where it is used: Bryant told you where, the security eventlog of your domain controllers does log logon events, you can search for your network admin's name there and you'll see where he logged in.

For the future: Users should not get even close to getting hold of those credentials.
->never type those in their presence to prevent "shoulder surfing" attacks
->use special workstation admin accounts that can only administer one workstation so that it won't hurt too much if those are compromised one way or the other. I wrote an article about that:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Van JohnsonChief Technology OfficerAuthor Commented:
Thanks for the ideas
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Analysis

From novice to tech pro — start learning today.