AD Auditing of user accounts

I am interested in auditing account logon's for a handful of domain
accounts in our 2008 AD domain. I am familiar with setting up domain
auditing via GPO but not sure how to accomplish this task:

I want to know when this handful of users login and know their IP
address. I would also like this event information to be forwarded to a
single txt file on the network so that I dont have to check the
eventlog on all the domain controllers.

Thanks in advance.
0
RC
6/22/2010 1:15:22 PM
windows.server.active_director 902 articles. 0 followers. Follow

3 Replies
820 Views

Similar Articles

[PageSpeed] 0

Hello RC,

Check out the script from Richard, exaclty made for this:
http://www.rlmueller.net/Logon5.htm

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers 
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm 


> I am interested in auditing account logon's for a handful of domain
> accounts in our 2008 AD domain. I am familiar with setting up domain
> auditing via GPO but not sure how to accomplish this task:
> 
> I want to know when this handful of users login and know their IP
> address. I would also like this event information to be forwarded to a
> single txt file on the network so that I dont have to check the
> eventlog on all the domain controllers.
> 
> Thanks in advance.
> 


0
Meinolf
6/22/2010 1:26:35 PM
Thanks Meinolf. I am familiar with Richards work. This is perfect but
I will not be able to force these scripts down to all the systems in
the domain. I would need to gather this information without logon or
logoff scripts. but the information that is gathered in Richards
scripts are exactly what I would want. I would also want to parse
through the logs and only pull certain accounts into this seperate txt
file.

i believe the security events 4776 Credential Valadation and 4624
Logon audit this informatiom along with the IP address. my last step
is to crawl all of my domain controllers security event logs for a
handful of users that i want to audit and send that info over to a
networkshare that is holding my text file.
0
RC
6/22/2010 1:46:32 PM
Howdie!

Am 22.06.2010 15:46, schrieb RC:
> i believe the security events 4776 Credential Valadation and 4624
> Logon audit this informatiom along with the IP address. my last step
> is to crawl all of my domain controllers security event logs for a
> handful of users that i want to audit and send that info over to a
> networkshare that is holding my text file.

You have 2008 DCs (only)? Those have the ability to associate an action 
with a certain event id occurance. Well, you'd have to 2008 DCs for that 
(downlevel servers don't have that option).

I believe you'll have to crawl the event logs of the DCs to get that 
info -- Powershell is good at that, if you don't have a script/language 
preference yet.

Cheers,
Florian
0
Florian
6/22/2010 4:12:24 PM
Reply:

Similar Artilces:

Audit mailboxes on exchange 2003
Hi guys, I need to grant a permission to a user to monitor few mailboxes. When I add a user through advanced exchange tab and give him read perm. then connect remote mailbox in Outlook 2003 and click on the mailbox - it tells me - unable to expand the folder. If I assign full acess to the mailbox to a user then I'm able to open and view e-mails etc. But I dont want a user to remove read/unread flags or be able to delete anything from the mailbox that he's monitoring. I needs to be on the background w/o users knowing it. How do I correctly do it? Is there any :snoopers: that ...

Need better way to provision AD accounts that are to have mailboxes
The exchange admins in my company have come up with a way for the sys admins to assign the user's mailbox store location. It's based off of last name. For example, if your last name starts with letter A, you go on Storage Group 1, Mailbox Store A, if your last name starts with letter B, you go on Storage Group 1, Mailbox Store B, if your last name starts with letter E, you go on Storage Group 2, Mailbox Store A, etc.... This is, I believe, and administrative nightmare. Is there a better way to provision AD accounts that are to have mailboxes? If it works for you and them, then al...

Adding new rows
I have a spreadsheet with 100 rows in, I need to add a row after each current row, is there a quick way to do this or have i got to insert each new row individually? -- Paul Sheppard ------------------------------------------------------------------------ Paul Sheppard's Profile: http://www.excelforum.com/member.php?action=getinfo&userid=24783 View this thread: http://www.excelforum.com/showthread.php?threadid=390760 I assume you want to add an empty new row in between the existing rows. One way would be with an extra column Save as "trial" first.......just in case thi...

Common Client User Session
I periodically get a message saying there was a problem with "Common Client User Session" and the program has to close ---- Outlook remains open but there does appear to be a loss of functionality that requires re-booting! What is the cause of this problem? There is no error message number given. ...

Print a user form image
I learn how to print a text as follows Private Sub CommandButton3_Click() Dim intOutFile As Integer 'number for the output file intOutFile = FreeFile 'get a file number Open "c:\temp\temp.txt" For Output As intOutFile Print #intOutFile, Print_Dev.TextBox1.Text Close intOutFile Shell "c:\windows\notepad.exe /P c:\temp\temp.txt" Kill "c:\temp\temp.txt" 'delete the file if desired End Sub Now I would like to print an image as well... I tried modifying this Print #intOutFile, Print_Dev.TextBox1.Text ...

User able to see records that he is not supposed to
Hi, I have a user having a role that has permission to read only records that are created by him. He is able to see records that are assigned to a team X. He is not a member of team X. I have no clue how he is able to see it. I have checked every setting very carefully.Please help. IS IT a Microsoft CRM BUG??? Cheers, kunal Hi, Kunal, Can you please provide the specific settings of the security role(s) assigned to the user? Thanks, Leslie -- This posting is provided "AS IS" with no warranties, and confers no rights. Please do not send e-mail directly to this alias. This ...

Column widths get changed when another user opens my files
hello, i save an excel file on a network drive and when another user opens it the width of the columns are all changed. what's going on? How can we get stop this? thanks!!! ...

Opening another user's appointment copies appt into my Calendar
I frequently open other users' appointments when viewing their calendars. However, upon opening the item, a copy of the appointment then appears in my personal calendar. Does anyone know why this is happening and how to make it stop? Thanks. ...

Exchange / Outlook 2003 Public Folder Shared Calendar
We run an Exchange 2003 server with Outlook 2003 clients (via Citrix), on Windows 2003 Server. I have a bit of an odd problem with a public folder shared calendar I created for one of our offices. I created it in the normal way in Outlook, and applied appropriate permissions to all the users in that group. They can all see the calendar, and although they can add entries to it, they cannot see the appointments added by their colleagues - which pretty much negates the point of having it in the first place. I don't think it is an issue with the free / busy replication, as there is only one se...

User Authentication
Hello All I want to authenticate a windows user i cant use LogonUser because the client user may not have SE_TCB_NAME privilage i am using SSPI but in case of error i does not provide exact error message: For example if the user is not allowed to log on the domain from the this computer. SSPI gives an internal SSPI error rather than informing that the user is not allowed to login from this computer. Is there any other way to authenticate domain and Local users. Thanks in Advance! Faisal Mansoor ...

OWA Users/Expired passwords
I have several users who will only be logging in to Outlook Web Access (Exchange 2003), and once they're logged in to OWA they can change their passwords, but if they for some reason let their passwords expire, OWA doesn't allow them the opportunity to change their passwords; this is the case whether we use a dialog login box or forms-based authentication. Is there any way we can set OWA so that it automatically takes a user to the IIS password change screen if someone tries to log in with an expired password? this should solve your problem http://www.petri.co.il/enable_pass...

Weird exchange service account problems
Scenario: I attempted to install Brightstor Arcserve backup agent using the arcserve software. I got an error saying it was unable to finalize the account. I manually deleted the dbagent account several times in an attempt to troubleshoot the problem. Now my exchange server is screwed up. Sypmtoms: Logged on as Administrator (Exchange Service Account...I know this should be a seperate user, will rectify that when this is fixed) I am seeing problems with permissions inside of the Exchange Server Administrator program. When I click on Connections->Internet Mail Service connector I get t...

What is the maximum number of users that can share Excel File?
According to the Excel Help file, all users on your network, unless you restrict the number. "pfine" wrote: > ...

scripting adding obj-users and mdb-use-defaults to exchange 5.5 users
I have successfully created a script for creating exchange 5.5 users. I can't however, figure out how to add the assoc-nt-account to the obj-users [pseudo attribute] or set MDB-Use-Defaults to True :-( Can anyone offer advice on how to do this [other than generate a CSV file and use the exchange admin tool to import it]? Thanks Wayne ...

E-mail Account
I am able to connect to Exchange my exchange 2003 server (on server 2003 standard) using the email account "Microsoft Exchange Server". To verify that I am connected I click on "Check name" and both the server name and username are underlined. However once I open Outlook 2003 Outlook is very slow and doesn't repond very well. I try to send an e-mail and it sits in the outbox and messages that are on my exchange server in outlook web access aren't downloaded. If I try send/receive Outlook locks up and even sometime says (not responding). Outlook eventual...

Adding Fields and Tables to MSCRM
Is there a link or some reference on the ability to add fields to existing tables in the CRM database and/or adding complete tables to the CRM database?? I am asking this from the point of view relating to other existing CRM products (saleslogix, frontrange - shh). From what I have played with so far from playing with my SBS2k/MSCRM install is I my need to have a MS developer skillset. Robb, Using the schema manager in the deployment Manager MMC snap-in, you can add fields to the existing tables. However, there is no way to add new tables. Matt "Robb D" <robbd@eproductscons...

Migrating E5.5 Mailboxes with ADC created disabled accounts to to E2K3
I am getting to the end of my migration but still have all the resource mailboxes with ADC generated diabled accounts in AD to migrate. I'm not sure how to proceed with this. Can I just enable the accounts in AD migrate the mailbox and disable it again or do I have to create a whole new account in AD delete the ADC generated account and re-attached the new account to the mailbox in E5.5 then migrate it to E2K3? You can use the accounts it created. -- Ed Crowley MVP - Exchange "Protecting the world from PSTs and brick backups!" "JoeAHM" <joseph.gonzalez@a...

Adding time
I want to add time,like a sum. 12:00+12:00+12:00=36:00? I keep getting a basic time like 12:00. Could you please supply a formula. Thank you Hi In the cell with the formula, Format>Cells>Number>Custom [h]:mm Putting the [ ] brackets around h allows it to sum past 24 hours. Regards Roger Govier trucker wrote: > I want to add time,like a sum. > > 12:00+12:00+12:00=36:00? > > I keep getting a basic time like 12:00. Could you please supply a formula. > > Thank you > ...

Money 2006: Is there an account for FSA?
Is there anything like a special account in Money 2006 for a flexible spending account? And if so, what is it called? Rod I'm not aware of one. Since it wouldn't really have any properties a basic cash account wouldn't have, using a basic cash account is good enough for many of us. "Rod" <rod@no.spam> wrote in message news:%23xX7cJtMHHA.1248@TK2MSFTNGP03.phx.gbl... > Is there anything like a special account in Money 2006 for a flexible > spending account? And if so, what is it called? So, should I set up a cash account, then, or doesn't it ...

Pivot Table and adding a % column, that is not in original data
Hi, Is it possible to add a column for % calculations when the % column is not in original data? To clarify, my original data is as follows: Produt Sales Returns Date A 5 June B 6 June A 1 July A 1 September B 1 November When I run the pivot table, one of the columns I'm then looking to get is a total % of returns over sales , but I cant see how to include in a Pivot table. I can add it outside of the table, but that has problems ...

Payroll posting accounts #4
I am trying to set up information in the payroll posting accounts, when I am in the Employer´s Tax Expense window I can not fill the SUTA & FUTA code. It displays: "This is not a valid tax witholding code". What can I do to solve it? -- Jorge R. HI Jorge, Just give any dummy account as you are not calucting the SUTA and FUTA then system won't do anything but is require so please full fill all the posting account setup requirement before you proceed. "Jorge" wrote: > I am trying to set up information in the payroll posting accounts, when I am > ...

cant send email to certain accounts
I started having an issue sending emails to any .net account yesterday. Here is the error I keep getting. I also can not get the Windows Mail help to open up. I click on it hit OK when the box pops up and nothing else happens. Thanks The message could not be sent. The authentication setting might not be correct for your outgoing e-mail [SMTP] server. For help solving this problem, go to Help, search for "Troubleshoot Windows Mail", and read the "I'm having problems sending e-mail" section. If you need help determining the proper server settings, ple...

Managing Calender's across Multiple Accounts
The CEO of my organization is actually the CEO of several companies, and as such, required several separate e-mail addresses(3). He also travels a lot and makes use of his Aircard to access the company network remotely with his laptop. So, I created an outlook profile for him on his laptop with all 3 Exchange accounts attached to it (on the same profile), but the network traffic was too much for the aircard to handle. So, I seperated them into 3 seperate Outlook profiles, and he needs to choose which to connect to when he logs in. This seems to work out well for him for the most part, wh...

Excel could not save all the data and formatting you recently added
Hi, One of our users sent me an Excel file of 6 MiB. It has 7 worksheets. Most of them have <100 rows and AH columns, one sheet has 13160 rows and AH columns. The large sheet has autofilter enabled, but no actual filtering is done. (yet) 4 columns have validation: they allow a list of values specified in a range somewhere else in the sheet. There is also conditional formatting. It takes >30 seconds to calculate the sheet, however there are no real calculations, just a few concatenated string. My first impression is that this is yet another example of Excel (ab)used as a database. The p...

New user/GAL problem
Hi- We are running a new installation of Exchange 2003 SP1 on Windows Server 2003 SP1. All of our users were successfully setup to use Outlook 2003 (running in cached mode). Now we haved added a new user, but when I went to add them using ADU&C (on exchange server) the user was added but the mailbox and email account was not created. Checked RUS and added a local domain as there was only an Enterprise one listed (per other posts here). Updated the RUS. This added the user mailbox and generated email address. However, I cannot setup user to access mailbox through Outlook as th...