Re: Monitoring domain user activity
- From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
- Date: Sun, 28 Aug 2005 22:07:04 -0400
Even though you have such a small environment, this is still going to be extremely tough with just native components and quite frankly, I can't think of any third party tools that will really help you. This issues really come in when you consider that logon/logoff is not the same as it is in some other Operating Systems which actively track users connections.
A windows user logs on and gets a kerberos ticket, that ticket is their authentication pass and is good for 10 hours by default. In that time, they don't have to authenticate anymore, they simply have to ask for new service tickets from the DCs to access new resources, each one of those tickets they request and get, are by default, valid for 10 hours. This means that once a user logs on and gets their TGT and service tickets there are 10 hours where you don't have a clue centrally[1] what is going on. They are free range and about the only thing you can do away from the client is check every server for live netbios connections from the user through something that enumerates sessions (like net sessions) but that doesn't catch tcp/ip based apps like SQL or LDAP or any number of applications. Clearly this is way outside the range of what you can do with Active Directory. AD was set up so that you could enable people to work under all sorts of harsh connections with lots of failover when DCs become unavailable etc.
So you are stuck implementing something on the clients. It tracks who logs on or logs off and sends the info to a remote store. That is fairly easy as long as you have complete control of all of the clients including the software so you could load something to track that and no one has anything greater than user access so they can't load their own software to thwart you.
But what about people that hibernate or suspend... The program has to be good enough and fast enough to catch that and forward it to the remote store. What about crashes or someone who disconnects the network prior to hibernating or suspending (my standard practice with laptops so they aren't confused when they start back up and I am not on the network anymore) or powers the machine off by pulling the plug or yanking the batteries. Nothing you can do about those generally. Also consider cached credentials. Also consider runas functionality, logging on as one user but using runas or any number of other tools that use the CreateProcessWithLogonW API to switch the context of a given process. Also consider NET USE /USER functionality. Lots of possible ways around the tracking.
As for the whole "what programs are running thing", look at sysinternals, they have examples of tools that will be able to track that sort of info, they may even have something you can use in this exact case.
Personally if you absolutely had to be sure of all of this, it would probably involve building a custom in house security tool that was at the device driver level of every PC you need to track. No users would have greater than user rights, the device driver must not lose connectivity to some remote server where it logs info to for longer than say 5 or 10 minutes and if that is the case the device driver forces the machine to lock up tight as a drum so no one can do anything (or logs the person off) and back at the remote server it assumes that the user is logged off after 5-10 minutes.
Honestly I would wonder if Windows is the OS this environment should be using.
joe
[1] And when I mean centrally, I don't mean a single DC, I mean all DCs because they can use any DC in a domain to get the tickets and the events, which you would have to enable to capture, will only be logged on the DC on which they do the auth or request the service tickets.
-- Joe Richards Microsoft MVP Windows Server Directory Services www.joeware.net
Abhinandan Sharma wrote:
Hi All,
Greetings.
I use windows 2000 advanced server domain and ADS to manage my organization consisting of over 1100 users and about 300 workstations. I require a solution whereby I can view in realtime or otherwise (as a report) activities of my users and their workstations.
The users have roaming profile and can log on to any workstation around the organization. I need to keep track specially when they login/logoff to a computer, for how long have they been using that computer and which programs are they running.
I request for your suggestions on how to do it. I have tried a few third party tools which are inefficient and cumbersome to use. I just need to view the information and keep a record. Can I do it with event viewer on my DC ? What config do I require?
If you can be kind enough to suggest some tools or way out, I would indeed be very greatful
Thanks in advance and regards,
-Zapp
.
- References:
- Monitoring domain user activity
- From: Abhinandan Sharma
- Monitoring domain user activity
- Prev by Date: Re: ctrl+alt+del time interval
- Next by Date: Re: Setting passwords in ADAM
- Previous by thread: Monitoring domain user activity
- Next by thread: TCP/IP Urgent help
- Index(es):
Relevant Pages
|
Loading
