By looking at the security log in the event viewer of the workstation. So if I haven't set up object access auditing already, it's too late to gather any more data for this event. Is that about right?
On Tue, Oct 28, 2008 at 6:02 PM, Ken Schaefer <[EMAIL PROTECTED]> wrote: > How are you finding out this information at the moment? As best I can > tell, you can use object access auditing to get this information – but if > you have that on already... > > > > Cheers > > Ken > > > > *From:* Clubber Lang [mailto:[EMAIL PROTECTED] > *Sent:* Wednesday, 29 October 2008 10:14 AM > *To:* NT System Admin Issues > *Subject:* Unknown account created and added to local admins group > > > > An account has been created and added to the local Administrators group on > an XP workstation that's a member of a domain. The name of the account is a > long string of random small and capital letters like this: > wiwr7eyieUEIRU4EYSRI > > I see in the Security log when the account was added, then a password > added, then added to the local Adminsitrators group, and it all occurred > within 1 minute. But is there a way to tell if another local or domain > account was used to do the adding, and if so which one? > > > > > > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
