Ok brain fart, what's the best way to find which .EXE is initiating a connecting to my DC's ADMIN$ share? I can use CPORTS to find what app is using what port, do I look for a port 389 connection?
The other trick to this is the connection happens twice a day about 12 hours apart...I'm thinking it's normal traffic. David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin