Announcement

Collapse
No announcement yet.

Capture domain admin account log in''s

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Capture domain admin account log in''s

    Hi There,

    We have a domain admin account that has existed for years and is integrated and used in lots of places throughout the network.

    I want to change this and am beginning the process of documenting all the places it is used, such as apps, services, etc.

    As lots of apps/ services will use this account to authenticate against the domain I would like to enable audit logging and a supplementary process to list the log on attempts.

    What I need to know is what type of log on would such an authentication be, e.g. type 3(network) and also would the application used be logged or just the server/ IP address?

  • #2
    Re: Capture domain admin account log in''s

    I don't know of a way to automatically tally all this together in one place. Authentication takes place on a domain controller, so as long as every one of your DC's security logs is set to include success & failure, you'll have the entries. But those won't include the app that is calling the authentication, best you'll get is the PC the request came from.

    How you're going to ident which process on the requesting PC is going to be a bit manual, I think. But every app that runs on a server doesn't necessarily leave traces of it's running. Have you looked through a Services list on your servers, looking at the right-hand default column which shows the logon username for that service? Most will be Local System or Network, but any service which runs using your admin account will stand out there.

    Also, are we assuming that no other admins are using that same account name, so as to be sure any traces you DO find are only the automated processes you're trying to track down?
    *RicklesP*
    MSCA (2003/XP), Security+, CCNA

    ** Remember: credit where credit is due, and reputation points as appropriate **

    Comment


    • #3
      Re: Capture domain admin account log in''s

      RicklesP,

      Thanks for this. I have gathered the services configured with the account using power shell. I am also working in gathering the logs from the DC's using it filtering on event ID. I really needed to know if the calling application left a trace so I could pinpoint rather than just the server which I can get from the log.

      Ah well, I am looking at getting the info from the message body of the security event using PS, we'll see how it goes. Failing that I guess it will have to be good old fashioned manual labour to trawl through.

      Thanks again for your feedback.

      Comment


      • #4
        Re: Capture domain admin account log in''s

        You're welcome. Sorry I didn't a less labor-intensive answer for you, but the kind of info you're after is why 'best practice' is never to do what's been done before you got to it. Service accounts, system or network creds are all that should ever be used for services on boxes. And those, well-documented.

        Good hunting.
        *RicklesP*
        MSCA (2003/XP), Security+, CCNA

        ** Remember: credit where credit is due, and reputation points as appropriate **

        Comment

        Working...
        X