Many thanks for your response.
You could possibly poll the system for this information or you could enable logging for these events and generate an alert when they occur.
What we've actually got is a campus network with 700 users. The admins work 9-5 Mon-Fri, out of these times the network become "0wn3d" by "3133t hax0rs"... The windows event logs keep getting wiped, and anything server side has been compromised. Passwords I think are grabbed by arp spoofing high level computers with kane & abel?(or similar) -- or indeed one of the servers has been tronjaned.
All monitoring therefore needs to be done from a secure - non-domain reliant - machine. I'm thinking of getting the admins to install NTSyslog (syslog.sourceforge.net/) so all logs get sent immediately to the linux server as they're created - can't be deleted. Hopefully that'll contain IPs which can be traced to (unmodified!) MAC addresses.
It would still be nice to have an alternative method of seeing which users / admins are logged in.
By the way, you may enumerate user accounts anonymously only if the system has not been configured to prevent it.
And by using a scanner on a windows box, they obviously do enumerate users anonymously. If nessus can't check for this is there any other linux utility that can?
Many thanks again for your help,
James
