Runas logging?

G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

I would like to track who uses the RUNAS command as the adminitrator
account. Does the RUNAS command log it's usage anywhere? Does it detail
who (user) or where (computer) it was used?

Kevin
 

Rob

Distinguished
Dec 31, 2007
1,573
0
19,780
Archived from groups: microsoft.public.win2000.security (More info?)

If security logging is enabled, it posts logon and logoff
events just as if the user is logging on to the computer
from the network logon dialog.
>-----Original Message-----
>I would like to track who uses the RUNAS command as the
adminitrator
>account. Does the RUNAS command log it's usage
anywhere? Does it detail
>who (user) or where (computer) it was used?
>
>Kevin
>
>
>.
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

First you would have to enable auditing of logon events on computers where you want
to track it. Then you can look for Event ID's 528 and 538 that use "seclogon" [which
is secondary logon] as the logon process. You can use Event Comb, free from MS, to
scan multiple computers by entering seclogon in the event box and events 528 and 538
as events to search for. Those would be for successful logons using runas. If you
also want to track failed logons you will have to scan for more event id's as shown
in the link below. --- Steve

http://www.microsoft.com/resources/documentation/WindowsServ/2003/datacenter/proddocs/en-us/Default.asp?url=/resources/documentation/windowsserv/2003/datacenter/proddocs/en-us/518.asp

"Kevin Divine" <divinek@hotmail.com> wrote in message
news:MzzHc.12$UL5.26172@news.uswest.net...
> I would like to track who uses the RUNAS command as the adminitrator
> account. Does the RUNAS command log it's usage anywhere? Does it detail
> who (user) or where (computer) it was used?
>
> Kevin
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Oops. You would enter "seclogon" in the text box. --- Steve

"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:LoAHc.48549$MB3.34645@attbi_s04...
> First you would have to enable auditing of logon events on computers where you want
> to track it. Then you can look for Event ID's 528 and 538 that use "seclogon"
[which
> is secondary logon] as the logon process. You can use Event Comb, free from MS, to
> scan multiple computers by entering seclogon in the event box and events 528 and
538
> as events to search for. Those would be for successful logons using runas. If you
> also want to track failed logons you will have to scan for more event id's as shown
> in the link below. --- Steve
>
>
http://www.microsoft.com/resources/documentation/WindowsServ/2003/datacenter/proddocs/en-us/Default.asp?url=/resources/documentation/windowsserv/2003/datacenter/proddocs/en-us/518.asp
>
> "Kevin Divine" <divinek@hotmail.com> wrote in message
> news:MzzHc.12$UL5.26172@news.uswest.net...
> > I would like to track who uses the RUNAS command as the adminitrator
> > account. Does the RUNAS command log it's usage anywhere? Does it detail
> > who (user) or where (computer) it was used?
> >
> > Kevin
> >
> >
>
>
 

TRENDING THREADS