Re: User Activities

From: "Al Dunbar" <AlanDrub@xxxxxxxxxxxxxxxxxxx>
Date: Thu, 24 May 2007 19:14:47 -0600

"tslu" <tslu69@xxxxxxxxx> wrote in message
news:ubAdcNmnHHA.3512@xxxxxxxxxxxxxxxxxxxxxxx

Hi, I have a situation where an employee had logged into the domain
network as an administrator and got into a PC to delete certain folders in
that PC.

Can I obtain information such as :
1. Which PC the administrator logged in from
2. Which PC the administrator got into
3. Time and date the incident happen

You don't give much to go on. For example, do you know the administrator
account that was used? Do you know who it was that did this? Is that person
authorized to use the administrator account.

And, if you do not know on which PC this happened, how did you become aware
that any folders went missing?

As to the specifics:

1. I don't know of a standard way to determine this. we do it by examining
logs created by our logon scripts, but even then, a rogue administrator
would be able to cover his tracks. I have been told that ad2003 may have a
way of doing this, but the feature needs to be enbaled, as it is off by
default.

2. you could search the hard drives of all workstations to see which one has
these particular folders missing. Not much good if it was unique information
and you want it back.

3. if you are not already doing extensive auditing, this may not be
possible. That said, it might be worth having a close look at event viewer
to see what kinds of events are being recorded there.

/Al

.

Follow-Ups:
- Re: User Activities
  - From: tslu

References:
- User Activities
  - From: tslu

Prev by Date: User Activities
Next by Date: Re: Trouble Following KB Article 325349
Previous by thread: User Activities
Next by thread: Re: User Activities
Index(es):
- Date
- Thread

Relevant Pages

Re: msconfig problem
... Administrator to make the return to Normal Startup. ... Event Type: Warning ... Is there an error report in Event Viewer? ...
(microsoft.public.windowsxp.help_and_support)
Re: msconfig problem
... The Event Viewer messages I sent in the last message were after a reboot ... I have rebooted into safe mode and logged on as Administrator several times ... make the return to Normal Startup. ... Event Type: Warning ...
(microsoft.public.windowsxp.help_and_support)
Re: Why so many My Docs?
... XP is a multi-user operating system, no matter if only one person is using it. ... In all multi-user operating systems - NT, Win2k, XP, Unix, Linux, Mac OS X - there is the one built-in account that is "god" on the system. ... In Windows terminology, that is "Administrator". ... My Computer - represents your entire computer, showing drives and shared folders. ...
(microsoft.public.windowsxp.general)
Re: PC folder has stopped sharing over network!
... So following Jim's principle I've just tried creating a new user account on the PC - "Kids2", and enabled sharing on its component folders. ... There is a security tab that lists the access permissions and you can add to these to "open" the account in any way you wish. ... I've just been in to the security tab, and the access permissions for both kids and administrator are set to "Full Control". ... I browsed around all the tabs, and can't see any differences at all between the settings for kids and administrator. ...
(uk.comp.misc)
Re: Permissions required to manage Public Folders
... but our way of replicating our Public Folders doesn't work ... >I (Admin from CENTRAL) right click on OURS folder, goes to Replication tab, ... >sets replicas and adds my Exchange 2003, OK's, everything works ... >Exchange Full Administrator or Exchange Administrator role on CENTRAL seems ...
(microsoft.public.exchange.admin)