Re: Making Object Access Auditing Work
- From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxx>
- Date: Mon, 7 Nov 2005 20:05:17 -0600
It does not need to be enforced. Enforced just means that the policy can not
be overridden by another GPO and is not the default setting. Did you try
rebooting or using secedit to refresh security policy? Any errors/warnings
in the application log for userenv? --- Steve
"Ken" <Ken@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:91AAB94C-9633-4EE0-9A15-CD7AB702617D@xxxxxxxxxxxxxxxx
> I'd like to keep this thread going, so here is what I have done.
>
> 1. Double Checked that the auditing is enabled in the Domain Controller
> Security Policy.
> 2. Upgrade to the latest GPMC.
>
> When examining the view of the GPMC under the Linked Group Policy Objects
> I
> see the following :
>
> Link Order (Shortcut Icon here ?)GPO Enforced
> Link Enabled
>
> 1 Default Domain Controllers Policy No
> Yes
>
>
> Should the Enforced not be set to "Yes" here.
>
> "Steven L Umbach" wrote:
>
>> It shows auditing of object access it is disabled in Local Security
>> Policy.
>> Double check that it indeed is enabled in Domain Controller Security
>> Policy
>> or any other GPOs that may be linked to the domain controller container.
>> By
>> default there is only the default domain controller GPO of which Domain
>> Controller Security Policy is a subset of. Then run the command secedit
>> /refreshpolicy machine_policy enforce on the domain controller. If that
>> still does not work restart the domain controller and see if that works.
>> If
>> that does not work then there is some other problem with Group Policy
>> processing and I would suggest that you run the support tools netdiag,
>> dcdiag, and gpotool on that domain controller looking to see if there are
>> any problems that need to be resolved and look in the application and
>> system
>> logs to see if there are any pertinent errors or warnings recorded. ---
>> Steve
>>
>>
>> "Ken" <Ken@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:72463D7C-5484-4D2A-9D4E-7C4E9628C689@xxxxxxxxxxxxxxxx
>> > The results from secpol.msc
>> >
>> > Audit Account management Local - Not Defined Effective - Success,
>> > Failure
>> > (Working and Showing Up in Event Viewer)
>> >
>> >
>> > Audit Object Access Local - No Auditing Effective - No
>> > Auditing
>> >
>> >
>> > Audit object access does not seem to be working at all. What would you
>> > suggest next ?
>> >
>> >
>> >
>> >
>> >
>> > "Steven L Umbach" wrote:
>> >
>> >> Verify in Local Security Policy [secpol.msc] that it does show that
>> >> auditing
>> >> of object access is enabled for success and failure. For Windows 2000
>> >> look
>> >> at the effective setting. Are any object access events being recorded
>> >> at
>> >> all?? --- Steve
>> >>
>> >>
>> >>
>> >> "Ken" <Ken@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> >> news:430A856C-7781-4157-B875-D7AB8EB3479D@xxxxxxxxxxxxxxxx
>> >> > The server that I want to audit is a Domain Controller. It also
>> >> > serves
>> >> > as
>> >> > a
>> >> > file/print server. The files and folders that I want to audit are on
>> >> > a
>> >> > share
>> >> > which resides on the SAN. The log file is set to overwrite events.
>> >> >
>> >> > Anymore ideas ?
>> >> >
>> >> > "Steven L Umbach" wrote:
>> >> >
>> >> >> If you enable it in Domain Controller Security Policy, file
>> >> >> auditing
>> >> >> will
>> >> >> work only on domain controllers. Also check to see if the security
>> >> >> log
>> >> >> is
>> >> >> full. You may want to clear it and be sure to increase the size of
>> >> >> it
>> >> >> substantially. --- Steve
>> >> >>
>> >> >>
>> >> >> "Ken" <Ken@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> >> >> news:8B443B1C-4C57-4359-97FD-CD76817308EF@xxxxxxxxxxxxxxxx
>> >> >> >I have enabled "Audit Object Access" in the default domain
>> >> >> >controllers
>> >> >> > policy, its been enabled for a few days now. However, when I set
>> >> >> > a
>> >> >> > file
>> >> >> > up
>> >> >> > for auditng for success or failure of multiple attributes such as
>> >> >> > delete
>> >> >> > etc,
>> >> >> > the changes never show up in the Event Viewer Security log, so I
>> >> >> > suppose
>> >> >> > its
>> >> >> > not working or I have something configured incorrectly. Note that
>> >> >> > "Audit
>> >> >> > Account Management" is also enable in this policy and is writing
>> >> >> > to
>> >> >> > the
>> >> >> > security log with no issues.
>> >> >> >
>> >> >> > Any help would be greatly apprecitated.
>> >> >> >
>> >> >> >
>> >> >> > Thanks
>> >> >>
>> >> >>
>> >> >>
>> >>
>> >>
>> >>
>>
>>
>>
.
- References:
- Re: Making Object Access Auditing Work
- From: Steven L Umbach
- Re: Making Object Access Auditing Work
- From: Steven L Umbach
- Re: Making Object Access Auditing Work
- From: Steven L Umbach
- Re: Making Object Access Auditing Work
- From: Ken
- Re: Making Object Access Auditing Work
- Prev by Date: Re: local policy problem
- Next by Date: Re: User experience when password policy change applied.
- Previous by thread: Re: Making Object Access Auditing Work
- Next by thread: Re: Group policy seems not be applied
- Index(es):
Relevant Pages
|
