Interactive login event if 528 not appearing in sbs security event log for domain users
- From: Chiper <chiper69@xxxxxxxxxxxxxxxx>
- Date: Sun, 11 Nov 2007 17:41:24 -0800
Hi,
I have been working on this issue for a couple of days now and have
read through many previous posts, the windows server 2003 security
guide and the Threats and Countermeasures: Security Settings in
Windows Server 2003 and Windows XP guides.
We have a SBS 2003 SP1 server no R2 and the windows security event log
shows event id 528 logon type 2 interactive logon for the
administrator account only. The workstations are all joined to the
domain and I receive a lot of event if 540 which is the network logon
when domain users logon however we never see the event id 528.
I have set the following under Computer Configuration -> Windows
Settings -> Security Settings -> Local Policies -> Audit Policy under
the Small Business Server Auditing Policy GPO.
Account Logon Events (Success & Failure)
Account Management (Success & Failure)
Logon Events (Success & Failure)
Object Access (Failure)
Policy Change (Success & Failure)
Privilege Use (Failure)
Process Tracking (Failure)
System Events (Success & Failure)
I have run a gpudpate /force on the SBS and also checked to ensure
that no other policies are overwriting the GPO. I did this by typing
gpedit.msc going to Local Computer and expanding Computer
Configuration -> Windows Settings -> Security Settings -> Local
Policies -> Audit Policy. All settings match the settings above.
I have rebooted the SBS server and still I can't see users interactive
logon events. I have setup a test server in our lab running SBS 2003
and even with the default settings I don't see the users interactive
logons. Enabled the settings above also makes no difference.
I know I can use the network logon event if 540 however this logs
access to a NTFS file share, printer etc and what we want to establish
is when a user logs onto their computer and when they logout. Could
you please advise if this is by design and I'm chasing my tail here??
Why is only the administrator user account showing in the event 528
interactive logon? We also see event ID 528 generated for the SYSTEM
and BESAdmin (Black Berry User Account) account but not for
interactive logon rather logon type 5 which is service.
Interestingly if I view the linked list of GPO's the Small Business
Server Auditing Policy does not appear, I presume this is because the
policy is applied to the domain controller only not the entire
domain?
The domain controller policy has by default
Account Logon Events (Success)
Logon Events (Success)
Hence regardless it should log the interactive logons???
The default domain policy does not define any settings. Just for
interest sake I set both the Domain Controller and default domain
policy's the same as the auditing policy and still I can't see the
interactive logons.
Any help would be greatly appreciated. Please let me know if you
require any more information.
Kind Regards,
Chiper
.
- Follow-Ups:
- Re: Interactive login event if 528 not appearing in sbs security event log for domain users
- From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
- Re: Interactive login event if 528 not appearing in sbs security event log for domain users
- Prev by Date: Re: SBS 2003 POP3 15 Min Limitation
- Next by Date: Re: OWA, RWW and rpc/http
- Previous by thread: Companyweb does not work from day one
- Next by thread: Re: Interactive login event if 528 not appearing in sbs security event log for domain users
- Index(es):
Relevant Pages
|
