how to know the ip of the user who access the serverusing the local admin account

la reine de paix 1 Reputation point
2021-08-08T13:45:05.817+00:00

Hi all,

in our company we build servers and before we join these servers to the doamain ,we use the admin local account whose passsword is known by all team memebers to rdp servers .and even after joining the server to the domain ,sometimes the admin user account is used .so what is the way to know the user who access the server using the local admin account ,is there a way to know the ip of the user who used the local admin account to rdp the server
iI think this the only way to know the user from its ip especially we must connect to the vpn in order to rdp our servers

Windows for business | Windows Server | User experience | Other
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Anonymous
    2021-08-08T14:17:07.737+00:00

    what is the way to know the user who access the server using the local admin account

    If they all use the same admin account then that's all you'll know about the user, but these tools might help.
    https://learn.microsoft.com/en-us/sysinternals/downloads/psloggedon
    https://learn.microsoft.com/en-us/sysinternals/downloads/logonsessions

    --please don't forget to upvote and Accept as answer if the reply is helpful--

    0 comments No comments

  2. MotoX80 36,401 Reputation points
    2021-08-08T15:00:37.77+00:00

    If they use RDP, there should be an entry in the security eventlog that contains the IP and client machine name.

    https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4778
    https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4648

    There should also be entries in the TerminalServices eventlogs.

    https://frsecure.com/blog/rdp-connection-event-logs/

    At my prior employer, we used group policy to rename and disable the builtin administrator account. That account could only be used when booting into safe mode. We also scripted a password change for that account and ran it every 90 days. This forced admins to use their own AD account.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.