"steve" <> wrote in message
news:708e49a7-5a47-4ada-a98d-...
>I have a very small network.
> Maybe 10 computer. I have installed and set up software that tells me
> if the administrator has logged in. Im the administrator but I think
> sometimes the network password gets out and people use it when they
> shuold not.
>
> Anyway I get event messages that tells me that the administrator has
> logged in or off. However I strongly believe that of these message
> come from various processes that are going on, maybe backups or other
> things that I have running?
>
> The question is how can I tell when its a process or something
> else ?? thats running as administrator or when its an actual login. I
> cant really make head nor tails of the messages one way or another.
>
> Here are some of the messages.
> -----------------
> win2003-07rnw0i
> Application Security
> Criticality Medium
> Time 00:04:16, Wed, Nov 11 2009
> No of Occurances 1
> Message Logon attempt using explicit credentials:
>
> Logged on user:
> User Name: WIN2003-07RNW0I$
> Domain: mydomain
> Logon ID: (0x0,0x3E7)
> Logon GUID: {8dd8b0bd-7cd5-7abe-9b67-2d8c15f17050}
>
> User whose credentials were used:
> Target User Name: administrator
> Target Domain: a.b.c
> Target Logon GUID: -
>
>
> Target Server Name: LIB2.a.b.c
> Target Server Info: RPCSS/LIB2.a.b.c
> Caller Process ID: 448
> Source Network Address: -
> Source Port: -
> -------------------------------------------------------------------------------------------------
> Host win2003-07rnw0i
> Application Security
> Criticality Medium
> Time 00:04:13, Wed, Nov 11 2009
> No of Occurances 1
> Message Service Ticket Request:
>
> User Name:
> User Domain: a.b.c
> Service Name: LIB1$
> Service ID: mydomainLIB1$
> Ticket Options: 0x40810000
> Ticket Encryption Type: 0x17
> Client Address: 127.0.0.1
> Failure Code: -
> Logon GUID: {db8f44fa-7ff8-8be5-8c0d-fcd22fabc836}
> Transited Services: -
>
> ---------------------------------------------------------
>
> Host win2003-07rnw0i
> Application Security
> Criticality Medium
> Time 00:04:13, Wed, Nov 11 2009
> No of Occurances 1
> Message Logon attempt using explicit credentials:
>
> Logged on user:
>
> User Name: WIN2003-07RNW0I$
> Domain: mydomain
> Logon ID: (0x0,0x3E7)
> Logon GUID: {8dd8b0bd-7cd5-7abe-9b67-2d8c15f17050}
>
> User whose credentials were used:
>
> Target User Name: administrator
> Target Domain: mydomain
> Target Logon GUID: -
>
>
> Target Server Name: Lib1.a.b.c
> Target Server Info: Lib1.a.b.c
> Caller Process ID: 216
> Source Network Address: -
> Source Port: -
> ---------------------------------------------------------Host
> win2003-07rnw0i
> Application Security
> Criticality Medium
> Time 22:43:29, Tue, Nov 10 2009
> No of Occurances 1
> Message Logon attempt using explicit credentials:
>
> Logged on user:
>
> User Name: WIN2003-07RNW0I$
> Domain: mydomain
> Logon ID: (0x0,0x3E7)
> Logon GUID: {8c63e5b3-155f-ea3c-443d-c0d2407aad5b}
>
> User whose credentials were used:
>
> Target User Name: administrator
> Target Domain: mydomain
> Target Logon GUID: -
>
>
> Target Server Name: Lib1.a.b.c
> Target Server Info: Lib1.a.b.c
> Caller Process ID: 4052
> Source Network Address: -
> Source Port: -
> -----------------------------------------------------------------------------------------------
>
Change the password so that no other processes or people can use the
Administrator account, then check the event viewer for alerts. You must also
run this command:
net user administrator /domain
in order to monitor when the password gets changed again.
|
Similar Threads
Linear Mode
