Avatar of Albert Widjaja
Albert Widjaja
Flag for Australia asked on

Tracking the usage for DOMAIN\Administrator account in Security logs of Domain Controllers


How can I track down which Event viewer where DOMAIN\Administrator account is being used ?

i need to perform the audit for PCI compliance and then change the password & rename this Administrator account, but so far just wanted to know where it is being actively used.

Note: I have around 60 AD sites for each different site offices & there are 6 domain controllers spread across the different Subnets.

So any help and suggestion would be greatly appreciated.

Active DirectorySecurityIT AdministrationOS SecurityMicrosoft Server OS

Avatar of undefined
Last Comment
Albert Widjaja

8/22/2022 - Mon
Benjamin Voglar


I wrote a Powershell script. I was looking for something else in eventviewer in our Company.

I modified it so that it is now looking for Administrator in All EventViewers in you AD.

$datum = Get-Date

$comp = Get-ADComputer -Filter *
write " "
Write "Start"
Write "______________________"

ForEach  ($obj in $comp.dnshostname) {


    If (Test-Connection -Count 1 -ComputerName $obj -Quiet) {

    $Seznam=Get-WinEvent -LogName "system" -ComputerName $obj | Where { ($_.Message -like "Administrator")} | select Machinename,TimeCreated,ID,Message 
    add-content -path c:\folder\list_of_admin.txt -value $Seznam 
    write-host "$obj – Writing to the File ...." -foregroundcolor "yellow"

    else { write "$obj – Not a live!" }


Open in new window

Albert Widjaja

Hi Benjamin,

Does that means the powershell script will looks for all event viewer in all computers in the AD domain ?

Is it possible to limit it just for the security log in all AD domain controllers only ?
Benjamin Voglar

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Albert Widjaja

Thanks for the quick reply Ben,

However, when I execute the script on my Powershell ISE under DOMAIN\Administrator acount, I get:

Get-WinEvent : Attempted to perform an unauthorized operation.
At line:12 char:13
+ ...      $Event=Get-WinEvent -LogName "system" -ComputerName $obj | Where ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-WinEvent], UnauthorizedAccessException
    + FullyQualifiedErrorId : Attempted to perform an unauthorized operation.,Microsoft.PowerShell.Commands.GetWinEventCommand

Open in new window

Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes