Auditting "Privileged" account logins

Printable View

May 9th, 2005, 06:14 PM
Gixxer

Auditting "Privileged" account logins

I am trying to see if there is a way to audit at the group or user level on a windows 2000 domain. What I mean is, I have in the past setup auditting on our domain to capture successful and failed login attempts but it was for all users. It becomes too much of a pain in the but to administer. What I am looking to do is only audit a certain number of "priviledged accounts", like the domain admin or the administrator account. Is this possible, can I somehow only setup auditing on a user by user bases or group by broup basis. Thanks
May 9th, 2005, 06:48 PM
nihil

Have you considered using Excel or Access to filter out the data you want?
May 9th, 2005, 06:51 PM
Gixxer

No I haven't, so your saying keep the auditting on the entire domain, capture the data from the event viewer into like a CSV file or something like that and then use excel or access to filter for the certain accounts?
May 9th, 2005, 07:00 PM
nihil

Hi Gixxer,

Yes, that is what I was thinking. At least it would mean that you collected a full dataset, and could create customised analyses very quickly and easily, by simply creating a copy of your "template" analysis with changed parameters.

Hey, I always look for an easy solution over an elegant one :D
May 10th, 2005, 06:24 PM
mohaughn

Re: Auditting "Privileged" account logins

Quote:

Originally posted here by Gixxer
I am trying to see if there is a way to audit at the group or user level on a windows 2000 domain. What I mean is, I have in the past setup auditting on our domain to capture successful and failed login attempts but it was for all users. It becomes too much of a pain in the but to administer. What I am looking to do is only audit a certain number of "priviledged accounts", like the domain admin or the administrator account. Is this possible, can I somehow only setup auditing on a user by user bases or group by broup basis. Thanks

You could always split the users up into different OUs.

So in your default domain user GPO you turn off all auditing. If you don't want to audit for everyone.

You create a general user OU, and then you also create a priviledged user OU.

There would not be any GPO for the general user OU as you want the domain policy to apply for those users.

However, for the priviledged user OU you would want to turn on auditing.

I, however, like the idea of using a 3rd party product to quickly go through your security logs. If you have the disk space to audit the actions of all users it can't hurt. It is pretty easy to parse through a CSV log file as well.