This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 36%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELR%3C/text%3E%3C/svg%3E)
Hi all,
in our company we build servers and before we join these servers to the doamain ,we use the admin local account whose passsword is known by all team memebers to rdp servers .and even after joining the server to the domain ,sometimes the admin user account is used .so what is the way to know the user who access the server using the local admin account ,is there a way to know the ip of the user who used the local admin account to rdp the server
iI think this the only way to know the user from its ip especially we must connect to the vpn in order to rdp our servers
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
what is the way to know the user who access the server using the local admin account
If they all use the same admin account then that's all you'll know about the user, but these tools might help.
https://learn.microsoft.com/en-us/sysinternals/downloads/psloggedon
https://learn.microsoft.com/en-us/sysinternals/downloads/logonsessions
--please don't forget to upvote and Accept as answer if the reply is helpful--
If they use RDP, there should be an entry in the security eventlog that contains the IP and client machine name.
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4778
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4648
There should also be entries in the TerminalServices eventlogs.
https://frsecure.com/blog/rdp-connection-event-logs/
At my prior employer, we used group policy to rename and disable the builtin administrator account. That account could only be used when booting into safe mode. We also scripted a password change for that account and ran it every 90 days. This forced admins to use their own AD account.