Part 2: User Information
Note: This applies to EventSentry version 3.5.1.32
HOW TO:
Find a stale RDP session on a server that is locking out an account:
- Open the EventSentry Web reports and log in
- Navigate to Reports -> Compliance
- Click on the Terminal Services Logons report in the HIPAA section (or click Run, on the right side)
- The Search filter will already have type:”Terminal Services” in it. Add the following after a space: AND user:<domain>\<username> to filter for a specific user
- Any session still logged in will show “still logged on…” in the Logout column
Produce a report that shows all logon events for a specified user ID:
- Open the EventSentry Web reports and log in
- Navigate to Reports -> Compliance
- Click on Account Authentication Analysis (bottom of the HIPAA section)
- Click the Detailed button in upper left
- The Search filter will already have computertype:”Terminal Services” in it. Add the following after a space: AND account:<username> to filter for a specific user
See a top 20 list of both successful and failed logons:
- Open the EventSentry Web reports and log in
- Navigate to Dashboard -> Overview -> User Activity
- Click on a server’s tile to view its statistics on the left side
See all user lockouts over a given time period:
- Open the EventSentry Web reports and log in
- Navigate to Reports -> Compliance
- Click on User Account Lockouts (middle of the NIST 800-171 section)
- Adjust the time range in the upper right
See more at: https://www.eventsentry.com/