Instructions (to be fleshed out more over time).
Ensure both the app and .dll are locating in the same directory, or default path.
Run the app, select from the Menu Tools > Admin accounts, and enter all the admin accounts for all the domains you are a member of (this will allow the application to discover other domains and check for user accounts on them). Password are encrypted and stored in the user profile path.
Enter a user name to scan, either just plan or a "Domain\UserName"
The buttons on the top do the following (from the left)
- Begin Search
- Discover Other domains. If this is not clicked, the it will only find the username in the domain you've specified (or if no domain, within the same domain as the PC you''re connected to).
- Analyse Machines: If we've found any machines that have had bad password attempts come from them, it will provide further analysis. Note: if the machine is on a different domain than the user account, the software will go through each stored admin account and try to connect with those credentials. If it finds an admin account if can use, it will use it. (So you can have bad password attempts on DOMAIN1\User coming from a static mapped drive on a machine in DOMAIN2, so long as your current account (or a stored admin account) has permissions to query WMI on the machine in DOMAIN2.
- On each machine it can analyse, it will try to find the following suspect items.
- Statically Mapped Drives with explicit permissions.
- Old Logon/RDP sessions.
- Scheduled Tasks with stale credentials.
- Service accounts running with stale credentials.