Runas logging?

  • Thread starter Thread starter Guest
  • Start date Start date
Toggle sidebar Toggle sidebar
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

I would like to track who uses the RUNAS command as the adminitrator
account. Does the RUNAS command log it's usage anywhere? Does it detail
who (user) or where (computer) it was used?

Kevin
 
Archived from groups: microsoft.public.win2000.security (More info?)

If security logging is enabled, it posts logon and logoff
events just as if the user is logging on to the computer
from the network logon dialog.
>-----Original Message-----
>I would like to track who uses the RUNAS command as the
adminitrator
>account. Does the RUNAS command log it's usage
anywhere? Does it detail
>who (user) or where (computer) it was used?
>
>Kevin
>
>
>.
>
 
Archived from groups: microsoft.public.win2000.security (More info?)

First you would have to enable auditing of logon events on computers where you want
to track it. Then you can look for Event ID's 528 and 538 that use "seclogon" [which
is secondary logon] as the logon process. You can use Event Comb, free from MS, to
scan multiple computers by entering seclogon in the event box and events 528 and 538
as events to search for. Those would be for successful logons using runas. If you
also want to track failed logons you will have to scan for more event id's as shown
in the link below. --- Steve

http://www.microsoft.com/resources/documentation/WindowsServ/2003/datacenter/proddocs/en-us/Default.asp?url=/resources/documentation/windowsserv/2003/datacenter/proddocs/en-us/518.asp

"Kevin Divine" <divinek@hotmail.com> wrote in message
news:MzzHc.12$UL5.26172@news.uswest.net...
> I would like to track who uses the RUNAS command as the adminitrator
> account. Does the RUNAS command log it's usage anywhere? Does it detail
> who (user) or where (computer) it was used?
>
> Kevin
>
>
 
Archived from groups: microsoft.public.win2000.security (More info?)

Oops. You would enter "seclogon" in the text box. --- Steve

"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:LoAHc.48549$MB3.34645@attbi_s04...
> First you would have to enable auditing of logon events on computers where you want
> to track it. Then you can look for Event ID's 528 and 538 that use "seclogon"
[which
> is secondary logon] as the logon process. You can use Event Comb, free from MS, to
> scan multiple computers by entering seclogon in the event box and events 528 and
538
> as events to search for. Those would be for successful logons using runas. If you
> also want to track failed logons you will have to scan for more event id's as shown
> in the link below. --- Steve
>
>
http://www.microsoft.com/resources/documentation/WindowsServ/2003/datacenter/proddocs/en-us/Default.asp?url=/resources/documentation/windowsserv/2003/datacenter/proddocs/en-us/518.asp
>
> "Kevin Divine" <divinek@hotmail.com> wrote in message
> news:MzzHc.12$UL5.26172@news.uswest.net...
> > I would like to track who uses the RUNAS command as the adminitrator
> > account. Does the RUNAS command log it's usage anywhere? Does it detail
> > who (user) or where (computer) it was used?
> >
> > Kevin
> >
> >
>
>
 
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom