Click here to get back home

Tracking user account activity.
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Tracking user account activity. Microsoft News Groups 03-30-2006
Posted by Microsoft News Groups on March 30, 2006, 12:27 pm
Please log in for more thread options
 What I am trying to do is to track when I can disable or delete an account.
The traditional way to do this is to track time since their last login which
is displayed on the domain controllers. What we have however, is a number
of users that do not logon directly to a workstation with their credentials
since we have many restricted autologon kiosks that use a generic name. To
compound issues more, we have users outside of our organization that vpn
into our organization (not a MS VPN) and have been given accounts so they
can remotely map to certain server shares. So for these types of users,
when they connect this way, it does not update their last logon timestamp on
the domain controller, making disabling and deleting accounts tricky. We
have tried to put these users into a separate OU, but this group of people
in in constant flux. What I would like to see is some other way that AD
tracks these types of logons that are not traditional logons to workstations
so that I can more adequately perform my account managment.

Thanks for any help

Rob



Posted by Richard Mueller on March 30, 2006, 12:40 pm
Please log in for more thread options
 Hi,

The only AD attributes that can help are lastLogon and pwdLastSet. Often it
can help to retrieve the date the password was last set, assuming passwords
expire. Otherwise, logon scripts can log usernames, computer name, and
date/time to shared log files.

If users have more than one account, then you have to manually compare the
associated accounts. If you use generic accounts I don't see any way to tell
who used the account, short of a program that asks for identity and logs it.
If vpn users don't update lastLogon or pwdLastSet, and don't run logon
scripts, I see no solution.

--
Richard
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net

> What I am trying to do is to track when I can disable or delete an
> account. The traditional way to do this is to track time since their last
> login which is displayed on the domain controllers. What we have however,
> is a number of users that do not logon directly to a workstation with
> their credentials since we have many restricted autologon kiosks that use
> a generic name. To compound issues more, we have users outside of our
> organization that vpn into our organization (not a MS VPN) and have been
> given accounts so they can remotely map to certain server shares. So for
> these types of users, when they connect this way, it does not update their
> last logon timestamp on the domain controller, making disabling and
> deleting accounts tricky. We have tried to put these users into a
> separate OU, but this group of people in in constant flux. What I would
> like to see is some other way that AD tracks these types of logons that
> are not traditional logons to workstations so that I can more adequately
> perform my account managment.
>
> Thanks for any help
>
> Rob
>



Posted by Microsoft News Groups on March 30, 2006, 1:20 pm
Please log in for more thread options
Maybe I was unclear. These users use their named credentials in to map the
drives, but do not logon to the machine. That is done by an autologon
account. So they are getting authenticated by the domain controller, but
that does not reset the last logon timestamp. Was looking for any other
methods to track this so I can do password management.

Rob

> Hi,
>
> The only AD attributes that can help are lastLogon and pwdLastSet. Often
> it can help to retrieve the date the password was last set, assuming
> passwords expire. Otherwise, logon scripts can log usernames, computer
> name, and date/time to shared log files.
>
> If users have more than one account, then you have to manually compare the
> associated accounts. If you use generic accounts I don't see any way to
> tell who used the account, short of a program that asks for identity and
> logs it. If vpn users don't update lastLogon or pwdLastSet, and don't run
> logon scripts, I see no solution.
>
> --
> Richard
> Microsoft MVP Scripting and ADSI
> Hilltop Lab - http://www.rlmueller.net
>
>> What I am trying to do is to track when I can disable or delete an
>> account. The traditional way to do this is to track time since their last
>> login which is displayed on the domain controllers. What we have
>> however, is a number of users that do not logon directly to a workstation
>> with their credentials since we have many restricted autologon kiosks
>> that use a generic name. To compound issues more, we have users outside
>> of our organization that vpn into our organization (not a MS VPN) and
>> have been given accounts so they can remotely map to certain server
>> shares. So for these types of users, when they connect this way, it does
>> not update their last logon timestamp on the domain controller, making
>> disabling and deleting accounts tricky. We have tried to put these users
>> into a separate OU, but this group of people in in constant flux. What I
>> would like to see is some other way that AD tracks these types of logons
>> that are not traditional logons to workstations so that I can more
>> adequately perform my account managment.
>>
>> Thanks for any help
>>
>> Rob
>>
>
>



Posted by Steven L Umbach on March 30, 2006, 11:07 pm
Please log in for more thread options
You could enable auditing of logon events on the servers that have the
shares and then look for the last logon event for the user but of course you
would need to make your security logs rather large or save them. You could
use Event Comb [free from Microsoft] to search for the user's name as part
of a text string search. --- Steve

http://www.microsoft.com/technet/security/topics/auditingandmonitoring/securitymonitoring/default.mspx

> Maybe I was unclear. These users use their named credentials in to map
> the drives, but do not logon to the machine. That is done by an autologon
> account. So they are getting authenticated by the domain controller, but
> that does not reset the last logon timestamp. Was looking for any other
> methods to track this so I can do password management.
>
> Rob
>
>> Hi,
>>
>> The only AD attributes that can help are lastLogon and pwdLastSet. Often
>> it can help to retrieve the date the password was last set, assuming
>> passwords expire. Otherwise, logon scripts can log usernames, computer
>> name, and date/time to shared log files.
>>
>> If users have more than one account, then you have to manually compare
>> the associated accounts. If you use generic accounts I don't see any way
>> to tell who used the account, short of a program that asks for identity
>> and logs it. If vpn users don't update lastLogon or pwdLastSet, and don't
>> run logon scripts, I see no solution.
>>
>> --
>> Richard
>> Microsoft MVP Scripting and ADSI
>> Hilltop Lab - http://www.rlmueller.net
>>
>>> What I am trying to do is to track when I can disable or delete an
>>> account. The traditional way to do this is to track time since their
>>> last login which is displayed on the domain controllers. What we have
>>> however, is a number of users that do not logon directly to a
>>> workstation with their credentials since we have many restricted
>>> autologon kiosks that use a generic name. To compound issues more, we
>>> have users outside of our organization that vpn into our organization
>>> (not a MS VPN) and have been given accounts so they can remotely map to
>>> certain server shares. So for these types of users, when they connect
>>> this way, it does not update their last logon timestamp on the domain
>>> controller, making disabling and deleting accounts tricky. We have
>>> tried to put these users into a separate OU, but this group of people in
>>> in constant flux. What I would like to see is some other way that AD
>>> tracks these types of logons that are not traditional logons to
>>> workstations so that I can more adequately perform my account managment.
>>>
>>> Thanks for any help
>>>
>>> Rob
>>>
>>
>>
>
>



Similar ThreadsPosted
User activity log April 3, 2006, 8:26 pm
User web activity monitoring October 29, 2007, 10:16 am
user logon time tracking November 3, 2006, 1:08 am
User Account Created - 624 And User Account Enabled - 626 for Hel October 13, 2005, 1:56 pm
how to use the user account and the computers account to ... March 9, 2007, 10:38 am
Suspicious network activity December 8, 2006, 10:48 am
Windows 2003 server - How to protect my activity? July 25, 2008, 6:47 am
Tracking changes in ISS May 9, 2007, 4:13 pm
tracking urls April 9, 2006, 9:31 pm
Print tracking October 22, 2007, 8:15 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap