How do I know if/when a domain user enters the admin password?

Solution 1:

You can set and use User Group Policies to identify user log ins.

User Log ins

To check user login history in Active Directory, enable auditing by following the steps below:

1 Run gpmc.msc (Group Policy Management Console).

2 Create a new GPO.

3 Click Edit and navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies. Under Audit Policies, you'll find specific settings for Logon/logoff and Account Logon. Logon/logoff: Audit Logon > Define > Success and Failure. Audit Logoff > Define > Success. Audit Other Logon/Logoff Events > Define > Success. Account Logon: Audit Kerberos Authentication Service > Define > Success and Failure.

4 To link the new GPO to your domain, right-click . Select Link an Existing GPO and choose the GPO that you created.

This will log the entries, but not notify you. So if you suspect a log in, then check.

OR, have a routine to review weekly.

Note: Server auditing is not retroactive.