M@
On 4/22/06, Matheesha Weerasinghe <[EMAIL PROTECTED]
> wrote:
eventcombmt is OK but logparser is better as it can parse saved logs. Eventcombmt is for active logs only.
M@On 4/22/06, mike kline < [EMAIL PROTECTED]> wrote:You have to turn on auditing in order to track logon events. Once you turn auditing on you can then search your security event logs for that logon event.When you go to set auditing you will see two settings. Audit account logon events and audit logon events. There is a good blog entry about the differences between the two settings and what they mean.We set both for success, failure (per NSA guidelines). We save our logs daily on the servers and on our workstations we overwrite older events so that disk space doesn't become a huge issue.Once you have the events in the log you can search through them using a tool like Eventcombhttp://www.microsoft.com/downloads/details.aspx?FamilyId=9989D151-5C55-4BD3-A9D2-B95A15C73E92&displaylang=en
Eventcomb can be found within this download.You can search for EventID 528 and specify the service account to narrow the search.When you say an account with elevated privileges what kind of privileges are you talking about? Hopefully not a domain admin account.ThanksMike
On 4/21/06, Clay, Justin (ITS) <[EMAIL PROTECTED] > wrote:What's the recommended method for tracking service account logins? We keep a pretty tight reign on service accounts and their passwords, but in some cases we have to provide the passwords to our customers (in this case, customers are other government organizations that we support) for use in their applications. Essentially we just want to know if someone logs into a PC or a server with a service account. We don't want a bunch of people using a service account to gain access to resources, especially if it's an account with elevated privileges.
Thanks,
Justin Clay
ITS Enterprise Services
Metropolitan Government of Nashville and Davidson County
Howard School Building
Phone: (615) 880-2573
ITS ENTERPRISE SERVICES EMAIL NOTICE
The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
