2 Replies Latest reply on Nov 10, 2014 1:24 PM by NeoIsTaken

    LANDesk Service Account - Connection type 2 (Interactive)

    Specialist

      One of my task this week was to identify active service accounts and where they are touching. During this process I discovered an odd reading.

      10-22-2014 12-08-23 PM.jpg

      10-22-2014 12-18-00 PM.jpg

       

       

      Our service account for LANDesk is showing up as an "Interactive" connection type on several servers.

      Microsoft Defines LogonType 2 as : "Intended for users who are interactively using the machine, such as a user being logged on by a terminal server, remote shell, or similar process."

       

      What LANDesk feature would use this type connection, and run for 2days? I have already verified on 2 of the servers the account was not logged into the server from the console.
      Did I completely miss the boat?

        • 1. Re: LANDesk Service Account - Connection type 2 (Interactive)
          Tanner Lindsay SupportEmployee

          I'm not familiar with the tool you are using, or how it calculates time and such. However, given the description there of "Interactive" perhaps it is and agent installation? The description says it includes "remote shell, or similar process". The Core Server uses the credentials configured in the Scheduler to reach out to unmanaged (or sometimes managed) devices and perform an agent installation, making use of RPC as well as other processes. Perhaps that contributed to the connection?

           

          Aside from the obvious "someone, or something else got those credentials", you may be able to further reduce the potential areas by setting a few different credentials. Use one for the Scheduler, another for the COM+ objects, another for Preferred Server access and such, as that might provide some insight.

          • 2. Re: LANDesk Service Account - Connection type 2 (Interactive)
            Specialist

            The information is from the audit results in Windows Security Event Log

             

            EDIT:

            Here is the powershell command to pull the logs. I can provide the entire script if you would like to see it

            Get-WinEvent -FilterHashtable @{logname='Security';id=4624;StartTime=([DateTime]::Now.AddDays(-7)).date;EndTime=(Get-Date).date} -ComputerName $computername -ErrorAction Stop