Yesterday I had to assist several users who where in Emergency Access mode.
In our environment we do not allow the end user to place themselves there from self-service
All our service desk folks have Auth Mgr Privileged Help Desk Admin role, which gives them the ability to provide both online and offline emergency access help
Emergency Access mode should be an extremely rare circumstance. I am trying to figure out who set the user up that way. As System Admin I can only think of one time where I've had to enable someone for it in last 3 years.
Here's the question....I have asked the service if they had set anyone in that mode. They claim no.
So how can I find out who may have enabled several users that way using the system reporting tools. These users could have been set that way for some time and I really don't have a time frame to search with.
You can teach yourself how to mine the logs and make reports for anything...
As an admin yourself, start the real time activity monitor for administration activity, then do 'some action you are interested in' and see what message you get. Then go to the real time monitor and click the message, and it will open up and reveal activity key.
You can run a admin activity report and filter on activity key.
Then you can run a report and see all occurrences that activity occurred and the admin name who did it.
Example: I created a user and watched the log
I click the date/time hyperlink and get more details, I see Create Principal is the action:
I can now run a report and look for Create Principal and see everyone else who might have done this same action:
Report result: