Hi kz, Thank you for your quick response. "Audit account logon events" for failure is enabled and it is logging the event 4771. But, I cannot find who attempted the login. It mentions only the IP which cannot be taken for granted as the IP's are from DHCP. Are you aware of any scripts which I can use?
From: [email protected] [mailto:[email protected]] On Behalf Of [email protected] Sent: Thursday, May 09, 2013 09:48 To: [email protected] Subject: Re: [NTSysADM] Non-admin login alert Audit the events on the DC or the file share, and then use a script or piece of software to generate a report on a daily/weekly basis? Sent from my Blackberry, which may be an antique but delivers email RELIABLY ________________________________ From: Liby Philip Mathew <[email protected]<mailto:[email protected]>> Sender: [email protected]<mailto:[email protected]> Date: Thu, 9 May 2013 06:42:15 +0000 To: [email protected]<[email protected]<mailto:[email protected]%[email protected]>> ReplyTo: [email protected]<mailto:[email protected]> Subject: [NTSysADM] Non-admin login alert HI, Is there a way to get alerted when a normal user tries to login to a domain or access file server resources with domain\administrator account? Disclaimer [The information contained in this e-mail message and any attached files are confidential information and intended solely for the use of the individual or entity to whom they are addressed. This transmission may contain information that is privileged, confidential or exempt from disclosure under applicable law. If you have received this e-mail in error, please notify the sender immediately and delete all copies. If you are not the intended recipient, any disclosure, copying, distribution, or use of the information contained herein is STRICTLY PROHIBITED. Path Solutions accepts no responsibility for any errors, omissions, computer viruses and other defects.] P Protect our planet: Do not print this email unless necessary.
