Runas logging?

  • Thread starter Thread starter Kevin Divine
  • Start date Start date
K

Kevin Divine

I would like to track who uses the RUNAS command as the adminitrator
account. Does the RUNAS command log it's usage anywhere? Does it detail
who (user) or where (computer) it was used?

Kevin
 
If security logging is enabled, it posts logon and logoff
events just as if the user is logging on to the computer
from the network logon dialog.
 
First you would have to enable auditing of logon events on computers where you want
to track it. Then you can look for Event ID's 528 and 538 that use "seclogon" [which
is secondary logon] as the logon process. You can use Event Comb, free from MS, to
scan multiple computers by entering seclogon in the event box and events 528 and 538
as events to search for. Those would be for successful logons using runas. If you
also want to track failed logons you will have to scan for more event id's as shown
in the link below. --- Steve

http://www.microsoft.com/resources/...wsserv/2003/datacenter/proddocs/en-us/518.asp
 
Oops. You would enter "seclogon" in the text box. --- Steve

Steven L Umbach said:
First you would have to enable auditing of logon events on computers where you want
to track it. Then you can look for Event ID's 528 and 538 that use "seclogon" [which
is secondary logon] as the logon process. You can use Event Comb, free from MS, to
scan multiple computers by entering seclogon in the event box and events 528 and 538
as events to search for. Those would be for successful logons using runas. If you
also want to track failed logons you will have to scan for more event id's as shown
in the link below. --- Steve

http://www.microsoft.com/resources/...wsserv/2003/datacenter/proddocs/en-us/518.asp

Kevin Divine said:
I would like to track who uses the RUNAS command as the adminitrator
account. Does the RUNAS command log it's usage anywhere? Does it detail
who (user) or where (computer) it was used?

Kevin
Click to expand...
Click to expand...
 
Back
Top