how to know the ip address of the user making changes to the server

la reine de paix 1 Reputation point
2021-08-23T18:21:27.23+00:00

how to know the ip address of the user making changes to the server using the local admin account.
and how to know the changes he is making with local admin account ,keep in mind that no security tools are permitted to be installed .

Windows for business | Windows Server | User experience | Other
{count} votes

2 answers

Sort by: Most helpful
  1. SUNOJ KUMAR YELURU 15,416 Reputation points MVP Volunteer Moderator
    2021-08-24T02:24:31.02+00:00

    Hi @la reine de paix

    The Audit object access policy handles auditing access to all objects that reside outside of AD. The first use you might think of for this policy is file and folder auditing. You can also use the policy to audit access to any type of Windows object, including registry keys, printers, and services.

    Furthermore, to audit access to an object such as a crucial file, you must enable more than just this policy; you must also enable auditing for the specific objects that you want to track. To configure an object’s audit policy:

    Open the object's Properties dialog box.
    Select the Security tab
    Click Advanced.
    Select the Auditing tab as shown below
    125784-image.png

    However, be warned: This policy can bog down servers. Audit only crucial objects and audit only for crucial access (e.g., Write access).

    The policy has 11 subcategories:
    File System
    Registry
    Kernel Object
    SAM
    Certification Services
    Application Generated
    Handle Manipulation
    File Share
    Filtering Platform Packet Drop
    Filtering Platform Connection
    Other Object Access Events

    refer- Object Access Events

    If the Answer is helpful, please click Accept Answer and up-vote, so that it can help others in the community looking for help on similar topics.

    0 comments No comments

  2. Limitless Technology 39,926 Reputation points
    2021-08-24T10:12:49.093+00:00

    Hello,

    As far as i know once you configured Audit object access policy, you can do the analysis using Object access events ID. You can refer below links to check different event id's and their meanings,

    https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-object-access

    --please don't forget to upvote and Accept as answer if the reply is helpful--

    Thanks,

    Mohammed S

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.