?
Solved

Windows Security Event ID to check for Service account usage

Posted on 2016-09-13
3
Medium Priority
?
234 Views
Last Modified: 2016-09-27
Hi People,

I'm trying to find the usage of a particular DOMAIN\Service-Account usage in my whole AD domain.

Can anyone here please share which Security Event ID should I be looking / monitor or filter for the usage of this particular AD service account ?

So far I only know Security event ID 4624.

Thanks.
0
Comment
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 2

Assisted Solution

by:Brad99
Brad99 earned 1000 total points
ID: 41795578
Hi,

plz check for example this link http://www.eventtracker.com/newsletters/following-a-users-logon-tracks-throughout-the-windows-domain/

Should help you with other conditions like "user fails authentication" ->  the domain controllers logs event ID 4771 or an audit failure instance 4768 etc.

BR
Emu
1
 
LVL 64

Accepted Solution

by:
btan earned 1000 total points
ID: 41795782
May be good to reference the list of audit scope that will be likely area of interest to surface what that particular account will be involved in besides just logon. I listed some key resources and and the link states the event ID corresponding to the trigger if it happened.
https://technet.microsoft.com/en-us/library/dn319080(v=ws.11).aspx
-Audit Logon
-Audit Logoff
-Audit Special Logon
-Audit Computer Account Management
-Audit User Account Management
-Audit Process Creation
-Audit File Share
-Audit Directory Service Access
-Audit Kernel Object
-Audit Registry
-Audit SAM
-Audit Sensitive Privilege Use
-Audit Non-Sensitive Privilege Use
1
 
LVL 8

Author Closing Comment

by:Senior IT System Engineer
ID: 41819010
Thanks !
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
If you're a modern-day technology professional, you may be wondering if certifications are really necessary. They are. Here's why.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question