Re: User Activities

Hi Al,

okay, let me elaborate on the network setup. We have a MS 2003 Server as
the domain controller. I suspect an employee who used the system
administrator ID and password to logged into a PC through their
workstation and deleted files and folders. This person is one of 3
persons who has the password and ID to the administrator password.

From victim's PC, we are able to view from the event viewer that the
administrator had logged in and deleted something. How we come to know of the incident was that the user complained of missing folders.

What I am concerned with, am I able to view MS 2003 server log to know which PC this person logged in from. Or maybe tools available.

Maybe you can give me some guidelines to prevent this type of incidents happening.

Al Dunbar wrote:
"tslu" <tslu69@xxxxxxxxx> wrote in message news:ubAdcNmnHHA.3512@xxxxxxxxxxxxxxxxxxxxxxx
Hi, I have a situation where an employee had logged into the domain network as an administrator and got into a PC to delete certain folders in that PC.

Can I obtain information such as :
1. Which PC the administrator logged in from
2. Which PC the administrator got into
3. Time and date the incident happen

You don't give much to go on. For example, do you know the administrator account that was used? Do you know who it was that did this? Is that person authorized to use the administrator account.

And, if you do not know on which PC this happened, how did you become aware that any folders went missing?

As to the specifics:

1. I don't know of a standard way to determine this. we do it by examining logs created by our logon scripts, but even then, a rogue administrator would be able to cover his tracks. I have been told that ad2003 may have a way of doing this, but the feature needs to be enbaled, as it is off by default.

2. you could search the hard drives of all workstations to see which one has these particular folders missing. Not much good if it was unique information and you want it back.

3. if you are not already doing extensive auditing, this may not be possible. That said, it might be worth having a close look at event viewer to see what kinds of events are being recorded there.


/Al



.

Relevant Pages

  • Re: Permissions issue with users in Domain Users not able to see p
    ... > domain user account (administrator) everytime. ... the server was old so we bought a new server. ... >>> they don't see all of the profile. ... >>> I thought at first it wasn't downloading those folders but if I log on ...
    (microsoft.public.backoffice.smallbiz2000)
  • Re: How can I setup a shared folder on Windows 2003 with no access to administrator?
    ... 2003 standard server, which users with the appropriate permissions can ... Administrators will _always_ have access to those folders. ... permissions away -- they can take ownership. ... The server is currently logged onto the network as administrator and ...
    (microsoft.public.windows.server.general)
  • Re: Help deleting orphan Offline Address List
    ... "I use administrator as it has full accees. ... This is a Small Business Server ... All I want to do is delete the orphan address list on the system folders ... machine that does have the capability to create a profile. ...
    (microsoft.public.exchange.admin)
  • Re: Why so many My Docs?
    ... XP is a multi-user operating system, no matter if only one person is using it. ... In all multi-user operating systems - NT, Win2k, XP, Unix, Linux, Mac OS X - there is the one built-in account that is "god" on the system. ... In Windows terminology, that is "Administrator". ... My Computer - represents your entire computer, showing drives and shared folders. ...
    (microsoft.public.windowsxp.general)
  • Re: Access to server denied
    ... Advanced File Sharing! ... view all the server shared folders. ... non-admin user does not have permission to go into the user specific folders. ... This user is a computer administrator account (not master ...
    (microsoft.public.windowsxp.network_web)
Quantcast