Re: Auditing Workstation logons from DC

---

• From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
• Date: Tue, 24 Jan 2006 21:31:56 -0700

---

The DCs should but with the limitations you noted of grepping the
needed info from the extended data and of finding it in all of the rest.
Please keep in mind that by relying on the client systems' security
logs you are at risk of reliability loss by local admin flushing of logs.

--
Roger Abell
Microsoft MVP (Windows Server : Security)

"Andy1974" <Andy1974@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A984D979-E047-42B9-A37C-5470E9CF44D2@xxxxxxxxxxxxxxxx
> EventCombMT works great. I don't see why the DC can't log the events in
> it's
> own event viewer though.
>
> No complaints using EventCombMT though. Thanks.
>
> "Roger Abell [MVP]" wrote:
>
>> You may want to think about looking directly at the security logs of
>> the client systems, using such as EventCombMT
>> http://search.microsoft.com/results.aspx?mkt=en-US&setlang=en-US&q=eventcombmt
>>
>> Alternatively if you are adventurous look into LogParser
>> http://www.logparser.com/
>>
>> --
>> Roger
>>
>> "Andy1974" <Andy1974@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:24118BA3-CED5-455C-986A-F78AA341B81A@xxxxxxxxxxxxxxxx
>> >I am trying to see workstation interactive logins in the Windows 2003 DC
>> > event viewer but am not seeing the events. I am seeing
>> > Remoteinteractive
>> > as
>> > well as interactive directly into the Domain Controller itself.
>> > However
>> > workstation computers that are a member of the domain are not
>> > registering
>> > event 528 or 539 type 2's in the event viewer. I have Domain Security
>> > Settings for Audit account logon to Success and Audit logon events to
>> > success. I have Domain Controller Settings to audit account logon to
>> > Success
>> > and Failure and Audit Logon to Success and Failure. I am running
>> > Windows
>> > 2003 Small Business Server.
>>
>>
>>


.

---

• References:
  • Re: Auditing Workstation logons from DC
    • From: Roger Abell [MVP]

• Prev by Date: Re: problem with "Restricted Groups" within a GPO linked to my dom
• Next by Date: Re: Logon Type 2 during non business hours
• Previous by thread: Re: Auditing Workstation logons from DC
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Auditing Workstation logons from DC ... > well as interactive directly into the Domain Controller itself. ... > Settings for Audit account logon to Success and Audit logon events to ... I have Domain Controller Settings to audit account logon to ... > and Failure and Audit Logon to Success and Failure. ... (microsoft.public.security) Re: Audit interactive logins workstations on DC event viewer ... >I am trying to see workstation interactive logins in the Windows 2003 DC ... > well as interactive directly into the Domain Controller itself. ... > Settings for Audit account logon to Success and Audit logon events to ... I have Domain Controller Settings to audit account logon to ... (microsoft.public.windows.server.sbs) Re: Connection Failure -- 360 and Media Center ... network device Provider ... Windows security auditing, cryptographic operation, success. ... I'm getting these logs by creating a custom view of events logged in ... (microsoft.public.windows.mediacenter) Re: MS Vulnerability? I was hacked! ... I was the lat person to access my logs before ... My mail server is clean... ... So that leads me to belive its something in IIS. ... >gave up after having no success. ... (microsoft.public.inetserver.iis.security) Re: MS Vulnerability? I was hacked! ... The DNS server encountered an invalid domain name offset ... can I pull logs of what they did? ... >So that leads me to belive its something in IIS. ... >>gave up after having no success. ... (microsoft.public.inetserver.iis.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(17)