InstantForum.NET v4.1.4UltimateWindowsSecurity.com Forumhttp://forum.ultimatewindowssecurity.com/noreply@ultimatewindowssecurity.comThu, 09 Sep 2010 16:35:40 GMT20http://forum.ultimatewindowssecurity.com/Topic194-35-1.aspxlook at who the domain user is. most likely this is</P><P>- a legit admin following best practive of using 2 accounts (1 unprivileged, 1 privileged) and then using RunAs to open an admin program requiring his privileged account</P><P>- task scheduler starting up a logon session for a program to run under admin authorityTue, 01 Sep 2009 06:16:36 GMTRandyFranklinSmithhttp://forum.ultimatewindowssecurity.com/Topic194-35-1.aspxWhy would a domain user want to use explicit rights as the enterprise domain admin to logon? Please see example with confidential details changed.</P><P><TABLE cellSpacing=0 cellPadding=2 width="100%" border=0><TBODY><TR bgColor=#cccccc><TD>Audit Success</TD><TD>1/28/2009</TD><TD>6:20:24 PM</TD><TD>552</TD><TD>Security</TD><TD>Logon/Logoff</TD><TD>\SYSTEM</TD><TD>COMPUTER</TD></TR><TR bgColor=#cccccc><TD colSpan=10>Logon attempt using explicit credentials:<BR>Logged on user:<BR>User Name: domain user<BR>Domain: domain<BR>Logon ID: (******)<BR>Logon GUID: {****}<BR>User whose credentials were used:<BR>Target User Name: administrator<BR>Target Domain: DOMAIN<BR>Target Logon GUID: {*****}<BR><BR>Target Server Name: (null)<BR>Target Server Info: (null)<BR>Caller Process ID: (null)<BR>Source Network Address: (null)<BR>Source Port: (null)<BR>Caller Process Name: (null)<BR></TD></TR></TBODY></TABLE>Sun, 30 Aug 2009 22:13:57 GMTtnrdhdhllblly