Monitoring Domain Administrator account usage RRS feed

  • Question

  • Hello,

    I'm taking over a role of IT Manager in a pretty big company, with the Active Directory that goes with it (around 1500 workstations).

    One of my main project for the coming month will be to change the domain administrator password, as it was never changed, and is been used by a lot of people. 

    I know it is also being used for scheduled tasks and services.

    In order to minimize the impact, and any outage, I would need to able to list when the administrator account is being used, and store this in a spreadsheet like:

    Date & Time - ComputerName - IPAddress - Service Name (if applicable).

    If it could also list when the account is being used with remote desktop.

    Does such tool exist? What would be the best way to implement something like this?

    For sure I am not the first one and I guess there could be some proper way to do this.

    Thank you very much.


    Monday, February 2, 2015 3:24 PM

All replies

  • We monitor all account usage, to do this we turn on auditing for user account logon and failure.

    We disable or restrict to 1 user account password being cached locally (depending on the system), this then forces the account to be checked against the domain controllers.

    On the domain controllers we forward the security event log to a syslog server (splunk) and from there we can see which account is being used and by what.

    You could skip the last bit, but would then have to search through the domain controllers security log.

    Tuesday, February 3, 2015 9:19 AM