run as different user and audit

  • 153 Views
  • Last Post 21 April 2016
evrensev posted this 08 April 2016

  Hi,   A user logs on to Windows with user1. He runs cmd.exe with “run as different user” option and uses AdminUser1’s credentials (AdminUser1 is local administrator on that machine) but I can not see any audit log in Domain Controllers’ security logs. Does anyone have anyu idea why?

Order By: Standard | Newest | Votes
daemonr00t posted this 08 April 2016

If you issue a "whoami /groups" from the elevated console do you see the domain admins membership?


When you try to see the logs what error do you get? Is it an access denied?

Danny


Sent from Outlook Mobile


show

barkills posted this 08 April 2016

Not enough information provided.

 

Question 1: Is “Windows” domain joined?

Question 2: Is AdminUser1 a domain user or not?

Question 3: Does AdminUser1 already have an active logon session (and token) on “Windows” when you do the ‘run as’?

 

show

kurtbuff posted this 08 April 2016

If the AdminUser1 account is local to the machine, and a local administrator, then you won't see anything on the DCs, because it won't authenticate against them.
Kurt


show

evrensev posted this 08 April 2016

İt is domain joined machine.

All accounts are domain accounts.

Current logged on user to the machine is domain\user1. User1 is right clicking cmd.exe and doing “run as different user” and using domain\adminuser1 account.

 



Evren Sevilmiş


Sistem Mühendisi



 

show

idarryl posted this 21 April 2016

Are you getting other 4624 events on DC's/ is auditing enabled for those events?  Did you check all DC's?
Read this for more info: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4624
On Fri, 8 Apr 2016 at 19:52 Evren Sevilmiş <Evren.Sevilmis@xxxxxxxxxxxxxxxx> wrote:
















İt is domain joined machine.

All accounts are domain accounts.

Current logged on user to the machine is domain\user1. User1 is right clicking cmd.exe and doing “run as different user” and using domain\adminuser1 account.

 



Evren Sevilmiş


Sistem Mühendisi



 

show

Close