Report for successful/failed logins for members of domain admins?

Author Message
jlapham@connekted.com

  • Total Posts : 1
  • Joined: 11/12/2015
  • Status: offline
Report for successful/failed logins for members of domain admins? Tuesday, March 29, 2016 8:01 PM (permalink)
I'm looking to get a report generated for successful and failed logins, but only for members of the domain admins group.  For the life of me, I cannot figure out how to do this.  SUccessful and failed logins for ALL users is easy enough, but I can't find a way to filter it down.
 
Regards,
J Lapham
Connekted, Inc.
 
#1
    akehler

    • Total Posts : 2
    • Joined: 4/22/2016
    • Status: offline
    Re:Report for successful/failed logins for members of domain admins? Friday, April 22, 2016 2:54 PM (permalink)
    I'll second this.  From the CISecurity Critical Controls:
     
    5.1 Minimize administrative privileges and only use administrative accounts when they are required.  Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.
    5.5 Configure systems to issue a log entry and alert on any unsuccessful login to an administrative account.
     
    I understand that all of these actions are logged along with non-administrative accounts, however having a report that isolates the activity of just administrative accounts would prove extremely useful.
     
    #2
      yorkmak

      • Total Posts : 19
      • Joined: 3/24/2015
      • Status: offline
      Re:Report for successful/failed logins for members of domain admins? Tuesday, May 10, 2016 10:52 AM (permalink)
      jlapham@connekted.com


      I'm looking to get a report generated for successful and failed logins, but only for members of the domain admins group.  For the life of me, I cannot figure out how to do this.  SUccessful and failed logins for ALL users is easy enough, but I can't find a way to filter it down.

      Regards,
      J Lapham
      Connekted, Inc.

      Please try to created a custom report with event ID 4624 and 4625 only.
       
      #3
        akehler

        • Total Posts : 2
        • Joined: 4/22/2016
        • Status: offline
        Re:Report for successful/failed logins for members of domain admins? Tuesday, May 10, 2016 2:36 PM (permalink)
        yorkmak


        Please try to created a custom report with event ID 4624 and 4625 only.

         
        That will report ALL successful and failed logins.  The question was how to report only DOMAIN ADMIN logins.
         
        #4
          stephen.white@GFI.com

          • Total Posts : 22
          • Joined: 1/14/2016
          • Status: offline
          Re:Report for successful/failed logins for members of domain admins? Thursday, May 19, 2016 2:26 PM (permalink)
          jlapham
          In the report fields, as well as the event ID and the log you would need to add the field, such as target user id, and then equate that to the user you would like to filter with joined with an and statement.
          Stephen White
          GFI Software 
          Blog - Twitter - YouTube - Facebook 
           
           
          #5
            Online Bookmarks Sharing: Share/Bookmark

            Jump to:

            Current active users

            There are 0 members and 1 guests.

            Icon Legend and Permission

            • New Messages
            • No New Messages
            • Hot Topic w/ New Messages
            • Hot Topic w/o New Messages
            • Locked w/ New Messages
            • Locked w/o New Messages
            • Read Message
            • Post New Thread
            • Reply to message
            • Post New Poll
            • Submit Vote
            • Post reward post
            • Delete my own posts
            • Delete my own threads
            • Rate post

            2000-2017 ASPPlayground.NET Forum Version 3.9