Re: security log filling/ audit policy being overwritten

From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 07/19/04

Next message: Dave: "Re: A Lot of Traffic on Network"
Previous message: MNA: "Re: A Lot of Traffic on Network"
In reply to: fnstrat2: "Re: security log filling/ audit policy being overwritten"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 19 Jul 2004 18:11:10 GMT

The audit configuration settings that you do not want enabled in Domain Controller
Security Policy, may sure you set them to "no auditing" and not undefined. You have
to make the changes in Domain Controller Security policy for domain controllers and
not Local Security Policy on a domain controller as the Domain Controller Security
Policy will override the local policy. Check to make sure that there is only one GPO
linked to the domain controller container by looking in the container
properties/Group Policy. If you do have more than one GPO in the domain controller
container, the one highest in the list has highest priority and that is where you
would want to configure your auditing settings. --- Steve

"fnstrat2" <fnstrat2@discussions.microsoft.com> wrote in message
news:D1410943-728A-4121-B325-8DCA78A210CB@microsoft.com...
> I removed the no override option, and set all audit policies to not defined. I ran
gpupdate and gpotool with no errors. Then I set the auditing of logons and system
events to failure. 10 minutes later they were both overwritten to success and
failure. Any more ideas?
> Thanks
>
> "Steven L Umbach" wrote:
>
> > Windows 2003 audits a lot of events by default - maybe too much for most users.
Make
> > sure that you do not have no override configured on any domain level GPO. No
override
> > is meant to prevent closer level policy from overriding settings defined in that
GPO
> > and would have little use on the domain controller container. I would configure
> > policy as you need it in the Domain Controller Security Policy being sure to use
> > "disable" and not undefined wherever you do not want to configure an auditing
setting
> > to be enabled. Do the same at the domain level and get rid of all the no
overrides
> > and after everything replicates after a while you should be all set. Of course
you
> > could have a replication problem. After you change your policies, run gpupdate
> > /target:computer /force. After ten minutes or so use gpotool to see if it finds
any
> > replication problems with your Group Policies. --- Steve
> >
> >
> > "fnstrat2" <fnstrat2@discussions.microsoft.com> wrote in message
> > news:2EA345FD-9DD7-4E69-BC4C-D84347B4AC12@microsoft.com...
> > > After upgrading to windows 2003 I started noticing the security event log being
> > filled every day. I check the audit policies for the local machine and they were
> > still undefined. After checking the audit policy in the default domain
controller
> > policy object I noticed they had all been changed to audit success and failure of
all
> > events. I changed this back to the settings I need and after checking back half
an
> > hour later they were all changed back to success and failure for all events.
I've
> > tried editing the policy both from aduc and with the gpmc.msc utility.
> > >
> > > I applied the no override option and it appears to be holding for now. The
domain
> > controller policy is applied at the lowest level OU and should be the one being
> > applied to the DC's. There is no audit policy assigned to the site and the audit
> > policy assigned to the entire domain does not match the policy that was
overwriting
> > the dc policy.
> > >
> > > OK, now 10 minutes later the default domain policy has changed to audit all
events
> > success and failure even with the no override option on. The local computer
policy
> > also has success and failure for all objects. What is going on?
> > >
> > > Running Resultant Set Of Policies says the audit policies are being assigned by
the
> > Default Domain Controllers Policy, which is the one I set to no override and is
still
> > being overwritten.
> > >
> > > I do have IPSec enabled between all servers and most of the success events that
are
> > filling the logs are the ike negotiation events.
> > >
> > > Any Ideas?
> > >
> >
> >
> >

Next message: Dave: "Re: A Lot of Traffic on Network"
Previous message: MNA: "Re: A Lot of Traffic on Network"
In reply to: fnstrat2: "Re: security log filling/ audit policy being overwritten"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Domain Controller Security Policy errors
... Security Policy or the Domain Controller Security Policy. ... The DC is also a print and file server. ... The domain controller for Group Policy operations is not available. ...
(microsoft.public.win2000.active_directory)
Re: SBS 2003 Lost all the Security Policies.
... i didn't use dcgpofix i used another sbs 2003 premium has example and created the policies manually. ... I know that your Default Domain Controller Security Policy or Domain Security Policy it is empty. ... DCGPOFIX.EXE will restore the Default Domain Policy and the Default Domain Controller Policy to original default settings. ...
(microsoft.public.windows.server.sbs)
Re: logon from the server machine !
... >The default Domain Controller policy in Windows Server ... >Security Policy setting. ... Allow Local Logon ...
(microsoft.public.windows.server.general)
Re: Default Domain Controller Policy being overwritten
... > rewritten to audit everything. ... It's almost like I change the policy on ... >> Microsoft MVP - Directory Services ... >>> errors relating to this in the event logs on either domain controller. ...
(microsoft.public.windows.server.active_directory)
Re: Audit Deleting of files
... To configure an audit policy setting for a domain controller, ...
(microsoft.public.win2000.security)