Re: Making Object Access Auditing Work

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

I'd like to keep this thread going, so here is what I have done.

1. Double Checked that the auditing is enabled in the Domain Controller
Security Policy.
2. Upgrade to the latest GPMC.

When examining the view of the GPMC under the Linked Group Policy Objects I
see the following :

Link Order (Shortcut Icon here ?)GPO Enforced
Link Enabled

1 Default Domain Controllers Policy No
Yes


Should the Enforced not be set to "Yes" here.

"Steven L Umbach" wrote:

> It shows auditing of object access it is disabled in Local Security Policy.
> Double check that it indeed is enabled in Domain Controller Security Policy
> or any other GPOs that may be linked to the domain controller container. By
> default there is only the default domain controller GPO of which Domain
> Controller Security Policy is a subset of. Then run the command secedit
> /refreshpolicy machine_policy enforce on the domain controller. If that
> still does not work restart the domain controller and see if that works. If
> that does not work then there is some other problem with Group Policy
> processing and I would suggest that you run the support tools netdiag,
> dcdiag, and gpotool on that domain controller looking to see if there are
> any problems that need to be resolved and look in the application and system
> logs to see if there are any pertinent errors or warnings recorded. ---
> Steve
>
>
> "Ken" <Ken@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:72463D7C-5484-4D2A-9D4E-7C4E9628C689@xxxxxxxxxxxxxxxx
> > The results from secpol.msc
> >
> > Audit Account management Local - Not Defined Effective - Success,
> > Failure
> > (Working and Showing Up in Event Viewer)
> >
> >
> > Audit Object Access Local - No Auditing Effective - No
> > Auditing
> >
> >
> > Audit object access does not seem to be working at all. What would you
> > suggest next ?
> >
> >
> >
> >
> >
> > "Steven L Umbach" wrote:
> >
> >> Verify in Local Security Policy [secpol.msc] that it does show that
> >> auditing
> >> of object access is enabled for success and failure. For Windows 2000
> >> look
> >> at the effective setting. Are any object access events being recorded at
> >> all?? --- Steve
> >>
> >>
> >>
> >> "Ken" <Ken@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> >> news:430A856C-7781-4157-B875-D7AB8EB3479D@xxxxxxxxxxxxxxxx
> >> > The server that I want to audit is a Domain Controller. It also serves
> >> > as
> >> > a
> >> > file/print server. The files and folders that I want to audit are on a
> >> > share
> >> > which resides on the SAN. The log file is set to overwrite events.
> >> >
> >> > Anymore ideas ?
> >> >
> >> > "Steven L Umbach" wrote:
> >> >
> >> >> If you enable it in Domain Controller Security Policy, file auditing
> >> >> will
> >> >> work only on domain controllers. Also check to see if the security log
> >> >> is
> >> >> full. You may want to clear it and be sure to increase the size of it
> >> >> substantially. --- Steve
> >> >>
> >> >>
> >> >> "Ken" <Ken@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> >> >> news:8B443B1C-4C57-4359-97FD-CD76817308EF@xxxxxxxxxxxxxxxx
> >> >> >I have enabled "Audit Object Access" in the default domain
> >> >> >controllers
> >> >> > policy, its been enabled for a few days now. However, when I set a
> >> >> > file
> >> >> > up
> >> >> > for auditng for success or failure of multiple attributes such as
> >> >> > delete
> >> >> > etc,
> >> >> > the changes never show up in the Event Viewer Security log, so I
> >> >> > suppose
> >> >> > its
> >> >> > not working or I have something configured incorrectly. Note that
> >> >> > "Audit
> >> >> > Account Management" is also enable in this policy and is writing to
> >> >> > the
> >> >> > security log with no issues.
> >> >> >
> >> >> > Any help would be greatly apprecitated.
> >> >> >
> >> >> >
> >> >> > Thanks
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
>
>
>
.

Relevant Pages

  • Re: security log anomolies
    ... object access in particular can generate a huge amount of events especially ... auditing of account logons would be most ... overriding Local Security Policy. ... controllers in particular as Domain Controller Security Policy will override ...
    (microsoft.public.win2000.security)
  • Re: Many events in Security log
    ... If you do not want those events then disable auditing in "Domain Controller ... Security Policy" which is where you manage auditing for domain controllers. ... >> memory and cpu usage with Task Manager. ...
    (microsoft.public.windows.server.security)
  • Re: Object auditing
    ... This share is on a domain controller. ... > auditing of object access in the Local Security Policy or at the domain/OU ... > Security Policy if this is a single domain server that you want to enable it ... >>I enabled audit object access on the Domain Controllers OU. ...
    (microsoft.public.security)
  • Re: Object auditing
    ... Unless this share is on a domain controller, ... Security Policy if this is a single domain server that you want to enable it ... >I enabled audit object access on the Domain Controllers OU. ...
    (microsoft.public.security)
  • Re: Making Object Access Auditing Work
    ... It shows auditing of object access it is disabled in Local Security Policy. ... Double check that it indeed is enabled in Domain Controller Security Policy ...
    (microsoft.public.windows.group_policy)