Re: Auditing Logon Events

From: Herb Martin (news_at_LearnQuick.com)
Date: 03/10/04

• Next message: Janet James: "Global Catalog Problem"
• Previous message: Jill Zoeller [MSFT]: "Re: AD & DFS"
• In reply to: Keith: "Auditing Logon Events"
• Messages sorted by: [ date ] [ thread ]

Date: Wed, 10 Mar 2004 11:02:58 -0600

"Keith" <@.> wrote in message news:OOn#lxrBEHA.2628@TK2MSFTNGP11.phx.gbl...
> I have just been trying to set up auditing on my 2k DC to log every time a
> user logs onto the system. However, after 5 minutes I ended up with about
> 2000 entries in the System Log.

Account logon events will log every request to the DC for authentication;
include to "actually logon" or to access services. Even IPSec Kerberos
authentication adds to this load.

If you have a few hundred users this might not be too big a deal.

> What do I need to turn on to correctly log just logon events or have I
done
> it correctly and this is what happens?

You could log just FAILURES. (to determine if you are being attacked.)
You could log "Logon" events which are ONLY interactive logons and are
recorded at the work stations -- but then you will need to collect them all
eventually.

-- 
Herb Martin
"Keith" <@.> wrote in message news:OOn#lxrBEHA.2628@TK2MSFTNGP11.phx.gbl...
> I have just been trying to set up auditing on my 2k DC to log every time a
> user logs onto the system.  However, after 5 minutes I ended up with about
> 2000 entries in the System Log.
>
> What do I need to turn on to correctly log just logon events or have I
done
> it correctly and this is what happens?
>
> Thanks
>
>

• Next message: Janet James: "Global Catalog Problem"
• Previous message: Jill Zoeller [MSFT]: "Re: AD & DFS"
• In reply to: Keith: "Auditing Logon Events"
• Messages sorted by: [ date ] [ thread ]

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint