RE: Monitoring of Admin logins

["Scott Ramsdell" <Scott.Ramsdell () cellnet com>]

Sohail,

You may want to monitor logon/logoff events on your domain controller.

VB scripting would allow you to send an email when a particular event
occurs.

> From your post, I cannot tell if you have several users who share the
same admin account because you say they use "the admin account".  From
the rest of your post, it appears they use individual accounts with
admin privs.

If they use individual accounts, in the logon event, you would want to
read the type (type 3 is over the network), and then read the details.
The details will include username and workstation.

You could then send yourself an email with the type and details.

This solution would run as a VB script somewhere in your domain.

Alternatively, simply assign a GPO to the admins which calls a login
script.  The login script would then be a VB script that emails you the
username and workstation (or IP).  

Kind Regards,
 
Scott Ramsdell
CISSP, CCNA, MCSE
Security Network Engineer

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Sohail Sarwar
Sent: Tuesday, April 10, 2007 11:26 AM
To: security-basics () securityfocus com
Subject: Monitoring of Admin logins

Hi there,

        I am assuming this have been done, but how ?  I would like to
get notified when a user logs in to my domain as an admin
(Administrator)  I have several people who are using the admin account,
and I would like to setup something so that it notifies me via and email
that a specific person has logged in to the domain controller or windows
2003 servers as the administrator.

        I guess something like who the user is and from where..  Is
there such a thing ?

Thanks,
Sohail