Event ID for RSAT Access

  • 66 Views
  • Last Post 21 June 2017
manasrrp6 posted this 21 June 2017

Is any event ID create when any AD has accessed by using the  RSAT remote tool.
What is the Event ID ? if any.
--
With Warm Regards,
Manas Dash.
AD & Exchange Admin
+91 9437615424
+91 7400342191
Skype : manasrrp6
Plant a Tree & Save the Earth.

Order By: Standard | Newest | Votes
manasrrp6 posted this 21 June 2017

Is same Event ID - 4624 is generated by on remote execution of AD by RSAT ?


show

dloder posted this 21 June 2017

The audit logs on the DCs don't have any knowledge of what tools are performing any specific action on the remote client side.  You'll get the normal remote logon event IDs that you would see from any client logon action.
-- http://dloder.blogspot.com --


From: Manas Dash <manasrrp6@xxxxxxxxxxxxxxxx>
To: "ActiveDir@xxxxxxxxxxxxxxxx" <ActiveDir@xxxxxxxxxxxxxxxx>
Sent: Wednesday, June 21, 2017 5:44 AM
Subject: Re: [ActiveDir] Event ID for RSAT Access

Is same Event ID - 4624 is generated by on remote execution of AD by RSAT ?


show

barkills posted this 21 June 2017

To add to David’s response, if you need to know what is happening on the clients, you’d need to audit process execution there …



 

From the DC’s perspective, it gets Kerberos, NTLM, LDAP, SMB, and HTTP requests (and DNS if you’ve got that installed). The RSAT tools generate Kerberos/NTLM

and LDAP requests to the DC—just the same as LDP.exe or most other AD tools.

 

show

manasrrp6 posted this 21 June 2017

Nice trailing information are good. But I only want to know if any Log message or any Event ID generate on Server side after any changes done by using RSAT tool on client side.
RegardsManas DashWipro


show

Close