How to trace an admin login to active directory server (2008 R2) from which host or which ip (In the situation where multiple admin are working) ?
Asked
Active
Viewed 512 times
0
-
Related: [How to trace Admin file creation](http://security.stackexchange.com/q/7733/396) – makerofthings7 Jul 29 '14 at 04:07
1 Answers
1
You can refer to this document http://dl3.checkpoint.com/paid/a6/CP_R75_IdentityAwareness_AdminGuide.pdf?HashKey=1406609615_673007d65df939c943ee67df223fe99e&xtn=.pdf.
It is checkpoint's feature to do what you want.
The basic idea is simple. Monitor DC's windows event log for user's logon message. There are specifc event types for user logon event. There is IP and user binding info you need in the log message.
For multiple domains, you need monitor all DCs of the domains.
appleleaf
- 291
- 1
- 8
-
Thanks ! Document is somewhat different thing as I needed to Install Checkpoint but, though it is too much informative ! Thanks dude. – manket59 Jul 29 '14 at 04:10