Thanks for the response, curtisi. That would be a great way to capture the events if we had agents on our workstations, which unfortunately, we don't.
At some point, the process of elevating privileges through the Run As Administrator feature would have to authenticate to the domain controllers, no? I must be missing something because I cannot find a logged event of this authentication anywhere on our DCs. We're running 2008 AD environment and are using Advanced Audit Policy settings as follows:
| Logon-Logoff | IPsec Extended Mode | No Auditing |
| Logon-Logoff | Network Policy Server | No Auditing |
| Logon-Logoff | IPsec Main Mode | No Auditing |
| Logon-Logoff | Logoff | Success |
| Logon-Logoff | Other Logon/Logoff Events | No Auditing |
| Logon-Logoff | Special Logon | Success |
| Logon-Logoff | Logon | Success and Failure |
| Logon-Logoff | Account Lockout | No Auditing |
| Logon-Logoff | IPsec Quick Mode | No Auditing |
| Account Logon | Kerberos Service Ticket Operations | No Auditing |
| Account Logon | Other Account Logon Events | No Auditing |
| Account Logon | Credential Validation | Success and Failure |
| Account Logon | Kerberos Authentication Service | No Auditing |
We tried setting Logon-Logoff > Special Logon to Success & Failure but that didn't help. Anyone else have any experience with capturing these events? Any suggestions? Thanks a lot!