Results 1 to 5 of 5

Thread: Auditting "Privileged" account logins

  1. #1
    Member
    Join Date
    Jan 2002
    Posts
    61

    Auditting "Privileged" account logins

    I am trying to see if there is a way to audit at the group or user level on a windows 2000 domain. What I mean is, I have in the past setup auditting on our domain to capture successful and failed login attempts but it was for all users. It becomes too much of a pain in the but to administer. What I am looking to do is only audit a certain number of "priviledged accounts", like the domain admin or the administrator account. Is this possible, can I somehow only setup auditing on a user by user bases or group by broup basis. Thanks

  2. #2
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Have you considered using Excel or Access to filter out the data you want?

  3. #3
    Member
    Join Date
    Jan 2002
    Posts
    61
    No I haven't, so your saying keep the auditting on the entire domain, capture the data from the event viewer into like a CSV file or something like that and then use excel or access to filter for the certain accounts?

  4. #4
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi Gixxer,

    Yes, that is what I was thinking. At least it would mean that you collected a full dataset, and could create customised analyses very quickly and easily, by simply creating a copy of your "template" analysis with changed parameters.

    Hey, I always look for an easy solution over an elegant one

  5. #5
    Senior Member
    Join Date
    Oct 2001
    Posts
    748

    Re: Auditting "Privileged" account logins

    Originally posted here by Gixxer
    I am trying to see if there is a way to audit at the group or user level on a windows 2000 domain. What I mean is, I have in the past setup auditting on our domain to capture successful and failed login attempts but it was for all users. It becomes too much of a pain in the but to administer. What I am looking to do is only audit a certain number of "priviledged accounts", like the domain admin or the administrator account. Is this possible, can I somehow only setup auditing on a user by user bases or group by broup basis. Thanks

    You could always split the users up into different OUs.

    So in your default domain user GPO you turn off all auditing. If you don't want to audit for everyone.

    You create a general user OU, and then you also create a priviledged user OU.

    There would not be any GPO for the general user OU as you want the domain policy to apply for those users.

    However, for the priviledged user OU you would want to turn on auditing.

    I, however, like the idea of using a 3rd party product to quickly go through your security logs. If you have the disk space to audit the actions of all users it can't hurt. It is pretty easy to parse through a CSV log file as well.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •