Quantcast
Channel: THWACK: Message List - Security Event Manager (SEM) - Formerly Log & Event Manager
Viewing all articles
Browse latest Browse all 5385

Re: How to capture failed 'Run as Administrator' events on a Windows domain?

$
0
0

Thanks for the response, curtisi.  That would be a great way to capture the events if we had agents on our workstations, which unfortunately, we don't. 

 

At some point, the process of elevating privileges through the Run As Administrator feature would have to authenticate to the domain controllers, no?  I must be missing something because I cannot find a logged event of this authentication anywhere on our DCs.  We're running 2008 AD environment and are using Advanced Audit Policy settings as follows:

 

 

Logon-LogoffIPsec Extended ModeNo Auditing
Logon-LogoffNetwork Policy ServerNo Auditing
Logon-LogoffIPsec Main ModeNo Auditing
Logon-LogoffLogoffSuccess
Logon-LogoffOther Logon/Logoff EventsNo Auditing
Logon-LogoffSpecial LogonSuccess
Logon-LogoffLogonSuccess and Failure
Logon-LogoffAccount LockoutNo Auditing
Logon-LogoffIPsec Quick ModeNo Auditing
Account LogonKerberos Service Ticket OperationsNo Auditing
Account LogonOther Account Logon EventsNo Auditing
Account LogonCredential ValidationSuccess and Failure
Account LogonKerberos Authentication ServiceNo Auditing

 

We tried setting Logon-Logoff > Special Logon to Success & Failure but that didn't help.  Anyone else have any experience with capturing these events?  Any suggestions?  Thanks a lot!


Viewing all articles
Browse latest Browse all 5385

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>