Re: Audit Software Restriction Policy

From: andy smart (anonymus_at_discussions.microsoft.com)
Date: 10/14/04 

Date: Thu, 14 Oct 2004 08:59:54 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Steven L Umbach wrote:
| I think that the events would be recorded in the application or system
log
| without enabling any more policies. I know of no specific audit policy
that
| could track that otherwise unless you want to enable auditing of object
| access on the computer and then audit folders for failure for the execute
| permissions for files only in the apply onto selection. The problem with
| enabling auditing of object access is that a lot of events may be
recorded
| in the security log by the system for seemingly unrelated events and it
| would not work on removeable media. --- Steve
|
|
| "andy smart" <anonymus@discussions.microsoft.com> wrote in message
| news:ck5uic$gtm$1@newsfeed.th.ifl.net...
|
| Hi
|
| We now have this software restriction policy which prevents users
| running applications from various places. Not only would we like to stop
| them, we'd like to know who tried :-)
|
| How can I turn on auditing for this? I'd like it to record every time a
| user tries to run an app?
|
| tia
| andy
Just to sort of 'close the call' you were right, the events are recorded
in the local logs. I can use eventquery to pull the data off into a file
and view it from there.

thanks for your help
andy
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBbjH6qmlxlf41jHgRAkZiAKDRRXeU8Nggdqde/F1R254pBpdAWgCgziwj
W1i3lOMhObyw72X5jUg8cFM=
=UhNU
-----END PGP SIGNATURE-----