Forum Discussion
iq
Nov 06, 2022Copper Contributor
Auditing user activity across Enterprise servers
Hello Experts ,
We have been noticing some users are using shared service accounts to perform some activities which need to be traced and tracked for auditing.
I am looking for help with a Powershell script which lets me see all the users connected across the Network of servers. Please let me know if there is any such script which I can use or may be tweak a little bit.
Regards
Faiz
We need a simple report like
User ID, Session_ID , Local Client_Host_ID, Remote Server_ID_Connected to, brief_descp_Activity performed
- You can find a lot of things in the security logs of your Domain Controller and the local security log of the remote server. But that's mainly logon events by default, you have to enable object access logging to see what things they are doing using the service account.
But are you preventing the usage of those service accounts? You can restrict them to only log on to certain computer accounts for example.- iqCopper Contributor
Harm_Veenstra We ar enot restricting it but would like to know if users are using the access to do somethinhg they should not be doing. Is there any powershell script or any othe script I can use to check this ?
- I were a blog about how to gather security events on domain controllers, https://powershellisfun.com/2022/07/19/retrieve-security-events-from-active-directory-using-powershell/ and perhaps you can expand on that? It searches for certain events. If you audit logon events, you should be able to gather information about that (you can add more event id's to search for)
- Did you manage to create the report?