Logging Windows Security Events

[keepsmilin456]

We have about 100 servers in our organization and about 30 developers which of about 20 have the domain "administrator" account password. Not good. We need to change this password ASAP, but before we do this, we need a way to figure out who is using this account. All the developers use a terminal service connection to log into servers using their PC's. Is there a way to track IP addresses or host names?

I know the Domain Controller logs all security events, but it only tells me if they logged in using their OWN account and some events do not record where the connection was initiated from.

3rd party solutions I've checked out:
LANguard S.E.L.M - just cleanly lists security events from Windows boxes & generates reports but does not list which machine it came from.

Greyware Logon Monitor - just records user logon/logoff but does not list which machine it came from.

Any ideas?

 

[itsp1965]

Quick and dirty way, if you go in Computer mgmt-->Sessions it will show all occurence of who is logged as the Domain Admin and from what IP/Host

 

[keepsmilin456]

Yeah, I've found that already...btw for that, is there a way to real-time monitor that? Does it get stored in some type of log file? If so, where?

Any other suggestions from anyone else?