Re: GPO Policy Auditing Solution

From: Doug Sherman [MVP] (dsherman_at_nospam.tampabay.rr.com)
Date: 03/15/04 

Date: Mon, 15 Mar 2004 13:40:04 -0500

As you have discovered account logon auditing is pretty much an all or
nothing deal:

1. If there are multiple Domain Controllers and one of them is local to the
lab's subnet such that only (or mostly) lab users are authenticated by that
machine, then place the computer account for this DC in a sub-OU created
within the Domain Controller's OU and enable account logon auditing in the
group policy for the new sub-OU. This way the DC will get the policies for
all DCs plus auditing only for the users it authenticates; OR

 2. In the Group Policy local policy settings for the machines in your new
CCSLAB OU, enable auditing for logon events. Logon events are different
from account logon events. Logon events will create a security log for all
persons who logon from these machines. However, the log will also show
system account logons and accounts connecting to the machine from remote
computers.

Also, the security logs for logon events are not maintained on the DC - they
appear in the Event logs for the individual machine. You can view remote
machine logs through the Computer Management console, or you could use a
script to have reports sent from remote machine; but this may not be
practical if there are a lot of machines in this lab.

Doug Sherman
MCSE Win2k/NT4.0, MCSA, MCP+I, MVP

"Dave Leonardi" <cyberfrost100@yahoo.com> wrote in message
news:eXCbD%23pCEHA.580@TK2MSFTNGP11.phx.gbl...
> Good Morning,
>
> I was wondering if someone could assist me with a group policy
> auditing scenario. I would like to apply successful/failure auditing only
on
> a group of computers in a computer lab, not the whole domain. What is
> happening is certain individuals are logging on to the classroom computers
> when they have no business being there. I would like to find out who is
> attempting logon without authorization.
> I created an OU called CCSLAB, which contains all the lab
computers,
> and has an attached group policy underneath it named CCSLAB computer
policy
> (no settings created for now). I also have noted that under my default
> domain controller policy, all auditing features are set to no auditing by
> default. I set the audit logon events to success/failure on the domain
> controller default policy, but it's grabbing everyone. Needless to say
that
> went away quickly. I would appreciate it if someone could propose a
solution
> to monitor user logon just for the CCSLAB OU. Thanks for your time it is
> greatly appreciated.
>
>
>
> Regards,
>
>
>
>
> David Leonardi
>
>

Relevant Pages

  • Re: account logon events
    ... Account logon: A domain controller received a request to validate a user ... > Account Logon auditing events relate solely to local account login, ... > need to audit domain logon events to audit logons through AD ...
    (microsoft.public.cert.exam.mcsa)
  • Re: Auditing Logon Events
    ... > I have just been trying to set up auditing on my 2k DC to log every time a ... > user logs onto the system. ... Account logon events will log every request to the DC for authentication; ...
    (microsoft.public.windows.server.active_directory)
  • Re: Logon Log
    ... You want to log the logon information of the domain users. ... You can try to enable the policy "Audit logon events" and then we can audit ... Policy->Double click Audit logon events and Audit Account Logon ...
    (microsoft.public.windows.server.sbs)
  • Re: Log terminal server logins?
    ... The logon events include a logon type for ... > Not in a login skript, ... > enable auditing for all security events). ...
    (microsoft.public.win2000.security)
  • Re: Bypass Traverse Checking
    ... > The odd thing is in my Event log, I see an entry granting it to a specific ... > Special privileges assigned to new logon: ... > Privileges: SeChangeNotifyPrivilege ... If you are auditing logon events for Everyone, ...
    (microsoft.public.windowsxp.security_admin)