Re: auditing
From: Steven L Umbach (n9rouz_at_nscomcast.net)
Date: 11/20/03
- Previous message: Steven L Umbach: "Re: Tips on auditing"
- In reply to: brian: "auditing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 20 Nov 2003 22:59:19 GMT
You would have to enable auditing of logon events for domain machines. You may want
to only enable auditing of failures on domain computers that are not resource
servers. Then you would have to scan the security logs in Event Viewer for the failed
logon attempts using your account. You can do that on a large scale with third party
tools or try Event Comb from Microsoft. The failed logon attempts could be logging
onto the domain or trying to access network shares which could include the
administrative share on any domain computer. Keep in mind that it may not be
malicious. Many times this will happen if a user is logged onto another machine, a
mapped drive, service account, Scheduled Task, or anywhere else your credentials are
being used and the your password has changed. See links below for more info. ---
Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;300549
http://support.microsoft.com/default.aspx?scid=KB;en-us;q300958
http://tinyurl.com/vtyv
http://tinyurl.com/a5zj -- Read the white paper here also.
"brian" <anonymous@discussions.microsoft.com> wrote in message
news:28db01c3af94$6c019710$a601280a@phx.gbl...
> Hi. I believe that someone is using my account because my
> account keeps getting locked out. Anyone know of a way to
> see if someone is attempting to log on with my account,
> from what pc and at what time? I'm sure there's a way to
> do it via the event viewer, not sure how to do it on a
> domain wide scale.
>
> thx
- Previous message: Steven L Umbach: "Re: Tips on auditing"
- In reply to: brian: "auditing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
