Active Directory Authentication Montioring
-
Monday, March 12, 2012 6:01 AM
hello My Friends,
I am having a domain controler runing on windows server 2008 r2 and joined windows 7 enterprise to the dc (Test.com) where I logon on Users (u1@test.com).
Evething is going on fine.
Now what I want is "" Whenever my DC authenticate any user, i must make a log of that and also send me an email notification "One user like u1@test.com authenticated by DC (Test.com)???
Please help to achieve this goal.
My second Can i know how many users had been authtenticated from my dc (test.com) in last 24 hours ?
Kamal Sharma
All Replies
-
Monday, March 12, 2012 6:17 AM
Hi,
you can activate the active directory auditing and set an event trigger to send you an email when the particular event is stored in the security event log.
Please check out:
http://technet.microsoft.com/en-us/library/cc731607(v=ws.10).aspx
http://www.windowsecurity.com/articles/windows-active-directory-auditing.html
http://www.petri.co.il/assigning-custom-tasks-to-events.htm
Regards, Martin Forch
- Proposed As Answer by VenkatSP Monday, March 12, 2012 9:22 AM
- Unproposed As Answer by netengineer.kamal Monday, March 12, 2012 9:23 AM
- Marked As Answer by Lawrence LvMicrosoft Contingent Staff, Moderator Monday, March 19, 2012 2:00 AM
-
Monday, March 12, 2012 6:39 AM
Hi,
Unless someone has changed the defaults, the domain controllers will automatically log successful account logons in the Security event log.
You could attach an e-mail notification event to the logon event within the Event Viewer, but I wouldn't recommend this as unless you're working in the smallest of environments, this is going to trigger tens or even hundreds of thousands of times per day. This will negatively affect your domain controller(s) and mail server(s) for no real gain.
If you need to keep a longer record of these kinds of events, create a Windows event collector subscription in "push" mode to forward the logon events to a dedicated event collection host. This will allow you to maintain a longer history that is possible on the domain controllers and keep the content searchable using the event viewer. You can find out more about push subscriptions here (the second XML example below the heading of "Create a new subscription").
Cheers,
Lain -
Monday, March 12, 2012 7:11 AMModerator
I agree with others, you can achieve this by using event subscription service. You can use ACS feature in SCOM but its gonna use large storage space. You can use EventcombMT tool to read the particular event log centrally.
http://technet.microsoft.com/en-us/library/cc748890.aspx
Awinish Vishwakarma - MVP-DS
My Blog: awinish.wordpress.com Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights. -
Monday, March 12, 2012 9:07 AM
Avinash,
I am not using SCOM. even i do not know more about scom. Can i do this by windows serer 2008 r2 itself.
Kamal Sharma
-
Monday, March 12, 2012 9:09 AMModerator Yes, you can use event subscription service in windows 2008/R2.
Awinish Vishwakarma - MVP-DS
My Blog: awinish.wordpress.com Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.- Marked As Answer by Lawrence LvMicrosoft Contingent Staff, Moderator Monday, March 19, 2012 2:01 AM
-
Monday, March 12, 2012 9:10 AMCan u please let me know the step to stpe for the same, so that I can achieve this goal easily?
Kamal Sharma
-
Monday, March 12, 2012 9:12 AMModerator
Take a look at below article.
Awinish Vishwakarma - MVP-DS
My Blog: awinish.wordpress.com Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights. -
Monday, March 12, 2012 9:22 AM
Hi,
I Agree with Martin Forch and would do the same if I'm at your place.
-
Monday, March 12, 2012 9:23 AMI will try & let u know soon.
Kamal Sharma
-
Monday, March 12, 2012 10:04 AM
You can use below counters to monitor authentication traffic to DCs.
Kerberos Authentications/Sec
NTLM AuthenticationsSajeed AM
- Marked As Answer by netengineer.kamal Monday, March 12, 2012 10:06 AM
- Unmarked As Answer by netengineer.kamal Monday, March 12, 2012 10:07 AM
-
Wednesday, March 14, 2012 11:43 AM
You can also use ADInsight.exe for live monitoring !!! Please refer the URL more info.
http://technet.microsoft.com/en-us/sysinternals/bb963907
Sajeed AM
.png)
