1

I am working it the IT department in my company. My two colleagues in my department are very intimate with some other domain users. Last week, I was asked to install a new IDE on those domain users' computers. I copied the setup files in a shared folder, then we all went to the lunch break. When I returned back from the lunch to do the installation, the domain user said that the installation is already completed. According to our domain user permission policies, domain users are not able to install programs in their computers. I asked him how he did it on his own. He replied that he was in a hurry and he asked his friend from the IT department to help him. However, I have strong suspicion that he is lying, because we were in the same dining room with his friend during the lunch and he didn't have enough time to do the installation. When I asked my colleague, he also confirmed it. But his facial expression and manner of speech right after I asked the question was revealing the truth enough for me.

I want to talk to my manager about this issue, but the problem is I don't have any solid proof to prove anything.

What I want to ask is, I want means to know when an admin password is entered on a domain user's computer. Where are using Active Directory on up to date Windows 10 Pro servers. Is there there a way to get notified whenever an admin password is entered on several certain computers? Or is there a log file I can check if an admin password is entered? And if it is entered, when did it happen?

I searched for this on Google, but couldn't find any solution. I hope you can help me.

hkBattousai
  • 3,219
  • 16
  • 46
  • 62

1 Answers1

1

You can set and use User Group Policies to identify user log ins.

User Log ins

To check user login history in Active Directory, enable auditing by following the steps below:

1 Run gpmc.msc (Group Policy Management Console).

2 Create a new GPO.

3 Click Edit and navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies. Under Audit Policies, you'll find specific settings for Logon/logoff and Account Logon. Logon/logoff: Audit Logon > Define > Success and Failure. Audit Logoff > Define > Success. Audit Other Logon/Logoff Events > Define > Success. Account Logon: Audit Kerberos Authentication Service > Define > Success and Failure.

4 To link the new GPO to your domain, right-click . Select Link an Existing GPO and choose the GPO that you created.

This will log the entries, but not notify you. So if you suspect a log in, then check.

OR, have a routine to review weekly.

Note: Server auditing is not retroactive.