Re: Audit the administrator account?
From: x y (email@example.com)
- Next message: Tim Cassel: "User logons"
- Previous message: Grog in Ohio: "Re: Audit the administrator account?"
- In reply to: Scott: "Audit the administrator account?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "x y" <firstname.lastname@example.org> Date: Wed, 29 May 2002 16:04:32 -0400
For the local admin password, set up or use a workstation that is not joined
to the domain. Write a batch file or other script that from time to time
tries to connect to each computer using the ID and password, such as
net use x: /delete [or net use \\servername\c$ /delete ]
net use x: \\servername\c$ password /user:administrator [or you can do it
without the x:, e.g.
net use x: \\servername\c$ password /user:administrator ]
if exist x:\ goto next
blat [use blat to send yourself an email OR]
net send yourworkstationname "admin password on xxx has changed..."
You'd want to add some code at the beginning to make sure the device is
turned on or else you will get false alarms. You could for example do
PING computername>>c:\temp\ping.txt and then use something like the
FIND command on the ping.txt file to search for successful replies.
Better yet, if you have $100, you can purchase and use IPsentry which will
do all this for you, and it can call your pager or cell phone, and keeps
historical statistics, and you can set it up to not test the password if the
device does not respond to pings.
"Scott" <email@example.com> wrote in message
> Hello all,
> I am responsible for about 300 workstations and I need to
> know how to setup auditing on the administrator account in
> a way that I will be notified when the password has been
> At this point in time, we are still on a Windows NT
> domain, so I don't have any of the auditing tools
> available to AD administrators.
> It is very simple for a user to grab the standard linux
> disk and change the password, and I was wondering if there
> was a way for that workstation to notify me via email or
> some other means that the password has been changed?
> p.s. We are in the process of locking down the BIOS,
> disabling the floppy boot option ect ect....