Re: Auditing Account management events
From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 11/29/04
- Next message: Steven L Umbach: "Re: Domain users"
- Previous message: George Hester: "Domain users"
- In reply to: FEX: "Re: Auditing Account management events"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 29 Nov 2004 03:09:48 GMT
If you have configured auditing of account management in Domain Controller
Security Policy, check the Local Security Policy of your domain controllers
to see if it shows as "effective" setting [ assuming W2K] for both of them
for auditing of account management for success and failure.. If it does and
you still do not see the events recorded, try clearing the security logs on
both domain controllers [saving them to file if need be] and increasing the
size of the security logs quite a bit to say at least 10 mb. By default the
security log is small and will stop recording events until manually cleared
after it fills up. --- Steve
"FEX" <anonymous@discussions.microsoft.com> wrote in message
news:0dfe01c4d5b7$116ca200$a501280a@phx.gbl...
> ummm curiosly ,that's what I'm doing I enabled auditing
> account management in the security policy on both domain
> controllers (DC-OU) ; However i can't see any event id how
> i told you .
>
>
>
>>-----Original Message-----
>>You don't need to do it that way and that would not work
> anyhow for what you
>>are looking for. Simply enable auditing of "account
> management" in the
>>security policy of the computer where you want to track
> these events. If you
>>are tracking events for domain users, enable auditing of
> account management
>>in Domain Controller Security Policy and view the
> security logs of the
>>domain controllers to find the related events. You can
> use the free Event
>>Comb tool from Microsoft to scan multiple computer logs
> in the domain from a
>>central point. See the link below for more details
> including explanation of
>>some Event ID's. --- Steve
>>
>>http://www.microsoft.com/technet/security/guidance/secmod1
> 44.mspx
>>
>>"fex" <anonymous@discussions.microsoft.com> wrote in
> message
>>news:0dcb01c4d5a6$35380e10$a501280a@phx.gbl...
>>>
>>> Hello,
>>>
>>> I've been auditing multiple events (System Events ,
>>> Policy Changes , Logon Events , but specially all events
>>> referents to Account management events like (User
> Account
>>> create, User Account Deleted , etc ) However , I applied
>>> the auditing to the default group everyone on Defaul
>>> Domain Controller Policy , to check specially all
> changes
>>> made by users with domain admin rights. But at this
> moment
>>> they are changing users -passwords - deleting users
> and -
>>> I don't receive any event id; for instance (ID:624-627-
> 630)
>>> at the moment they applied any change on the DC.
>>>
>>> I would like to know what is my misconfiguration or I
> need
>>> more configuartion or the default group it is not
> applied
>>> right way ?
>>>
>>> I will thanks any comment !!!
>>
>>
>>.
>>
- Next message: Steven L Umbach: "Re: Domain users"
- Previous message: George Hester: "Domain users"
- In reply to: FEX: "Re: Auditing Account management events"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
