Hi Guys, a customer asked me for a visibility about who is accessing C$ on his environment, users were claiming about admins that are using domain admins privileges to access c$ on client computers. What this customer asked for is a daily report about who is accessing c$. Using Event forwarding and PowerShell we were able to have a daily email with the information we need. If you are interested follow the steps 😉.
- Enable audit on client computers.
- Configure Event forwarding to centralize logs on a server.
- Script to treat events on the WEF server and send a daily csv file about who is accessing c$ on which computer.
I- Enable Audit on client computers
We will enable auditing on the client computers scope using a GPO. let’s do it.
Create and link a GPO on your target OU, LabComputers OU in my scenario.
Edit the GPO and configure…
View original post 526 more words