Re: GPO Policy Auditing Solution (Last question)
From: Dave Leonardi (cyberfrost100_at_yahoo.com)
Date: 03/18/04
- Next message: Lamar Thomas: "Re: 2003 Domain Controller Question"
- Previous message: Chriss3: "Re: 2003 Domain Controller Question"
- In reply to: Doug Sherman: "Re: GPO Policy Auditing Solution"
- Next in thread: Doug Sherman [MVP]: "Re: GPO Policy Auditing Solution (Last question)"
- Reply: Doug Sherman [MVP]: "Re: GPO Policy Auditing Solution (Last question)"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 17 Mar 2004 23:40:27 -0500
Doug,
Your help and advise is greatly appreciated. I think I'm going
back to the old DOS days, like the one scenario you suggested with the batch
program. Who says DOS is obsolete. I'm going to give this a shot and see
what happens. It is essentially ideal to my needs for this particular
instance.
The only and probably last question I have is the Lab Computers
being unlawfully logged onto are located in a sub OU named CCS Computers
under a parent OU named CCSLAB. CCSLAB contains various OU's such as CCS
Computers, CCS Students, CCS Teachers and so forth. Each sub OU has its own
policy. Offending teachers and users are logging onto the CCS Lab classroom
computers, but their user objects are under other respective OUs (out of the
CCS Lab OU structure).
My question is where do I place the Logonreport.bat script
(group policy) under the computer policy for CCS Computer OU or under the
offending users OU and would this be a user policy or computer policy
considering the circumstance? I'm thinking if the offending users pull
policies from only their own respective OU, then they should have the
logonreport.bat in their OU Policy so they execute it when they logon. Give
me a yell if you think this sounds about right or have a better alternative
. Thanks again for everything doug you've been a great help.
P.S. The users in the Computer Lab are only 3rd and 4rth graders. The
CCSLAB is so tied down with group policy restrictions it's almost scary and
believe it or not it's the adults you have to look out for, you know the
ones with Webshots, AOL and Kazaa.
Dave Leonardi
"Doug Sherman" <dsherman@nospamtampabay.rr.com> wrote in message
news:uN2c3M%23CEHA.2888@TK2MSFTNGP09.phx.gbl...
> Your idea is basically sound. Group Policy allows you to create an OU,
> place objects in it, and build a policy which affects only those objects.
> If the objects in the container are users, you can also filter application
> of the policy by groups. So, the problem is not with the flexibility of
> Group Policy - the problem is with the properties of auditing. Most
audited
> events are going to be recorded in the Security log on the local machine,
> and this is not convenient.
>
> Windows 2000 has some built-in variables that make it easy for us to do
> things the old fashioned way. Here's an alternative that might work for
> you:
>
> 1. Create a share on your computer eg. LogonReports.
>
> 2. Open Notepad and enter the following:
>
> echo %username% logged on to %computername% at %time%
> >>\\yourcomputer\LogonReports\%computername%.txt
>
> 3. Save the file as LogonReport.bat
>
> 4. If you run LogonReport.bat on a computer called Student1, a file
called
> Student1.txt will appear in the LogonReports folder on your computer. If
> you open Student1.txt, you will see something like:
>
> John Smith logged onto Student1 at 23:59:16
>
> If the file runs only at logon, then the time will be accurate.
>
> 5. You can use Group Policy to apply LogonReport.bat as a logon script;
or
> simply copy it to the Documents and Settings/All Users Startup folder on
> each lab machine.
>
> Of course, you realize you are going to discover that all kinds of
students
> know and use each other's username/passwords; and they really, really,
> really needed to use the lab computers to setup that marathon Quake III
> deathmatch.
>
> Doug Sherman
> MCSE Win2k/NT4.0, MCSA, MCP+I, MVP
>
> "Dave Leonardi" <DaveLeonardi@yahoo.com> wrote in message
> news:ebwCiuvCEHA.2576@TK2MSFTNGP11.phx.gbl...
> > Doug,
> > Thanks for the explanation and I guess I'm stuck within my confines.
> > I had a idea ,whether it's sound or not I'll leave to you. What about a
> > group policy that only applies to a specific group, users or computers.
> This
> > way it would only affect them. Something along those guidelines. What do
> you
> > think?
> >
> > Dave Leonardi
> > "Doug Sherman [MVP]" <dsherman@nospam.tampabay.rr.com> wrote in message
> > news:uUSkxzrCEHA.1452@TK2MSFTNGP09.phx.gbl...
> > > As you have discovered account logon auditing is pretty much an all or
> > > nothing deal:
> > >
> > > 1. If there are multiple Domain Controllers and one of them is local
to
> > the
> > > lab's subnet such that only (or mostly) lab users are authenticated by
> > that
> > > machine, then place the computer account for this DC in a sub-OU
created
> > > within the Domain Controller's OU and enable account logon auditing in
> the
> > > group policy for the new sub-OU. This way the DC will get the
policies
> > for
> > > all DCs plus auditing only for the users it authenticates; OR
> > >
> > > 2. In the Group Policy local policy settings for the machines in
your
> > new
> > > CCSLAB OU, enable auditing for logon events. Logon events are
different
> > > from account logon events. Logon events will create a security log
for
> > all
> > > persons who logon from these machines. However, the log will also
show
> > > system account logons and accounts connecting to the machine from
remote
> > > computers.
> > >
> > > Also, the security logs for logon events are not maintained on the
DC -
> > they
> > > appear in the Event logs for the individual machine. You can view
> remote
> > > machine logs through the Computer Management console, or you could use
a
> > > script to have reports sent from remote machine; but this may not be
> > > practical if there are a lot of machines in this lab.
> > >
> > > Doug Sherman
> > > MCSE Win2k/NT4.0, MCSA, MCP+I, MVP
> > >
> > > "Dave Leonardi" <cyberfrost100@yahoo.com> wrote in message
> > > news:eXCbD%23pCEHA.580@TK2MSFTNGP11.phx.gbl...
> > > > Good Morning,
> > > >
> > > > I was wondering if someone could assist me with a group
policy
> > > > auditing scenario. I would like to apply successful/failure auditing
> > only
> > > on
> > > > a group of computers in a computer lab, not the whole domain. What
is
> > > > happening is certain individuals are logging on to the classroom
> > computers
> > > > when they have no business being there. I would like to find out who
> is
> > > > attempting logon without authorization.
> > > > I created an OU called CCSLAB, which contains all the lab
> > > computers,
> > > > and has an attached group policy underneath it named CCSLAB computer
> > > policy
> > > > (no settings created for now). I also have noted that under my
default
> > > > domain controller policy, all auditing features are set to no
auditing
> > by
> > > > default. I set the audit logon events to success/failure on the
domain
> > > > controller default policy, but it's grabbing everyone. Needless to
say
> > > that
> > > > went away quickly. I would appreciate it if someone could propose a
> > > solution
> > > > to monitor user logon just for the CCSLAB OU. Thanks for your time
it
> is
> > > > greatly appreciated.
> > > >
> > > >
> > > >
> > > > Regards,
> > > >
> > > >
> > > >
> > > >
> > > > David Leonardi
> > > >
> > > >
> > >
> > >
> >
> >
>
>
- Next message: Lamar Thomas: "Re: 2003 Domain Controller Question"
- Previous message: Chriss3: "Re: 2003 Domain Controller Question"
- In reply to: Doug Sherman: "Re: GPO Policy Auditing Solution"
- Next in thread: Doug Sherman [MVP]: "Re: GPO Policy Auditing Solution (Last question)"
- Reply: Doug Sherman [MVP]: "Re: GPO Policy Auditing Solution (Last question)"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
