Re: security auditing

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: "Larry D" <larryd@xxxxxxxxxxxxxxxxxxxx>
Date: Tue, 23 May 2006 15:10:59 -0500

Florian,
I think you answered my question at the very end of your answer. I was
not sure where the logs would be written to but from what you wrote it will
be on the domain controller that the computer validates to. Is that correct?

As far as what I want to collect; I am not sure. We are a state agency
and will have a mandate sometime this year to start keeping logs on computer
activity but we do not know what they want yet. I just wanted to start
working on this and see how much log space we are looking at for this
project.

Larry

"Florian Frommherz" <florian@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:uErDK5pfGHA.1456@xxxxxxxxxxxxxxxxxxxxxxx

Howdy Larry!

Larry D wrote:

Per regulations I will need to start auding and saving user login and
logoffs. I enabled 'Audit account logon events' and 'Audit logon events'
under Computer Configuration-Windows Settings-Security Settings-Local
Policies/Audit Policy for a policy that covers about 15 users to test it.
However, it is not obvious where this information will be stored. Is this
the best way to do this? I will need to do this for about 250 users and
save the data to tape for storage eventually.

Which logon attempts are you trying to track? The local logons at the
client machines or the logons at the domain?

If you want to log all local logons, go create the "Audit logon events"
policy at OU level where the machines lie that shall audit all logins.

If you want to log all domain logons, go create the "Audit account logon
events" at the "Default Domain Controllers"-OU. It will only work for this
OU. After the policy got applied, the domain controllers will start
logging the logon attemps. Keep in mind, that only the one domain
controller that receives and proceeds the "logon request" will write the
attempt into it's event log. The others won't.

cheers,

Florian
--
Nachwuschsadmin aus dem Süddeutschen/Germany.
eMail: Vorname [bei] frickelsoft [Punkt] net.

Follow-Ups:
- Re: security auditing
  - From: Florian Frommherz

References:
- security auditing
  - From: Larry D
- Re: security auditing
  - From: Florian Frommherz

Prev by Date: Re: How to apply password policies through GPO
Next by Date: Re: Limit Internet Access by GP and time
Previous by thread: Re: security auditing
Next by thread: Re: security auditing
Index(es):
- Date
- Thread

Relevant Pages

Re: security auditing
... I enabled 'Audit account logon events' and 'Audit logon events' under Computer Configuration-Windows Settings-Security Settings-Local Policies/Audit Policy for a policy that covers about 15 users to test it. ...
(microsoft.public.windows.group_policy)
Re: Auditing Workstation logons from DC
... This is "Logon event" ... > I am trying to see workstation interactive logins in the Windows 2003 DC ... > Settings for Audit account logon to Success and Audit logon events to ... I have Domain Controller Settings to audit account logon to ...
(microsoft.public.windows.server.security)
Re: Auditing Logon Events
... For a domain controller you may want to audit account logon events ... > 540 Successful Network Logon: ...
(microsoft.public.win2000.security)
audit logon failure
... I want to track account logon failures in a w2k domain. ... domain policy the 'audit account logon events' and 'audit logon events' on ...
(microsoft.public.win2000.security)
RE: Cant set Local Security policies. They fail to save
... predefined Security Template on SBS 2003 to restore security groups ... run "gpupdate.exe /force" under command prompt to force the policy ... reboot the Server to test. ... and then logon to client computer to test if user can save system logs. ...
(microsoft.public.windows.server.sbs)