Re: Auditing Logon events on Windows 2003 DC
From: rhubman16 (rhubman16_at_discussions.microsoft.com)
Date: 10/20/04
- Next message: Al Mulnick: "Re: repost: HELP: AD certificate corruption after domain restore?"
- Previous message: news.microsoft.com: "Custom MMC consoles"
- In reply to: Andy Barkl [MVP]: "Re: Auditing Logon events on Windows 2003 DC"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 20 Oct 2004 05:19:07 -0700
I have read that article before, the problem is the Audit Logon events (5xx)
are not writing to the domain controller.
"Andy Barkl [MVP]" wrote:
> "rhubman16" <rhubman16@discussions.microsoft.com> wrote in message
> news:45F22023-9200-42FF-B3A4-49E5B8411263@microsoft.com...
> >I am trying to monitor logon failures on our domain controllers. I read
> >that
> > if you turn on the 'Audit Logon Events' policy on the DCs, you will get
> > entries in the 500 range in the event viewer (ie. 539 account locked out).
> >
> > I dont get these entries I do get 675 errors but there are hundreds of
> > them,
> > it also enters one for bad passwords.
> >
> > Does anyone know what I am doing wrong?
> >
> > Thank you
>
> This article lists the Account Logon events (6xx) and Audit Logon events
> (5xx) which are different;
> http://www.microsoft.com/technet/security/guidance/secmod128.mspx#EIAA
>
>
>
- Next message: Al Mulnick: "Re: repost: HELP: AD certificate corruption after domain restore?"
- Previous message: news.microsoft.com: "Custom MMC consoles"
- In reply to: Andy Barkl [MVP]: "Re: Auditing Logon events on Windows 2003 DC"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
