Re: Auditing ?

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 05/25/05 

Date: Tue, 24 May 2005 18:39:50 -0700

Authenticated Users contains all accounts, of people and machines, that
use an authentication method to establish a logged on session.
System is the local name for the machine's account.
You should determine what it is you are being asked to audit,
If it is all access, then you should use Everyone.
If it is all access by our people, then you could consider Domain Users
and Administrators (which will exclude local accounts and machines). 

-- 
Roger Abell
Microsoft MVP (Windows  Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"Drumgod" <Drumgod@discussions.microsoft.com> wrote in message
news:E42DFDBA-DFB2-4CDD-B558-154BDF131499@microsoft.com...
> All,
>
> I am configuring an audit policy for my network. Security is pretty tight
> here and they are requreing me to audit the entire C: drive for object
> access. I am currently auditing the user group 'Authenticated Users' for
> Success/Failure on the following:
>
> Create Files / Write Data
> Create Folders / Append Data
> Delete
>
> Now this works as expected, but its also producing object access events
with
> the username of 'System'.
>
> I do NOT want to audit system events. Is the system part of the
> authenticated users group, and if so , what group should i be auditing (on
my
> domain).
>
> I have disable the GPO object to audit system events. Computer
> Configurations | Windows Settings | Security Settings | Local Policies |
> Audit Policy | Audit System Events is set to "No Auditing".  I am doing
this
> a the domain root and im only a single domain. No connection to any other
> domains at all. But im still getting events for object access by the
'system'
> account. This is obviusly filling up my security logs rather quickly, and
I
> dont care what the system is doing.
>
> Anyone know what im doing wrong on this ? How do i get rid of the object
> access from the system?
>
> TIA
>
> Drum on .. ... . . .

Relevant Pages

  • Re: Repost: Local logon and Network Access settings
    ... think require network login since they are over the wire do in fact ... In the default situation, Authenticated Users ... is a member of User on a member machine, and, Users are granted ... user accounts that should be allowed to log into the machines in SomeOU. ...
    (microsoft.public.windows.group_policy)
  • RE: GPO not being applied to OU
    ... accounts as well. ... member of the authenticated users group. ... "visiting users" from another OU would have permission to have the GPO ... the users OU...only user settings will affect that OU and its users, ...
    (microsoft.public.windows.group_policy)
  • Re: Setting Audit Permissions Differently for Each User
    ... Jesper is quite correct in his response. ... defining a group with all accounts except System however, ... Authenticated Users removed from Users (I routinely remove ... just to make the rules simple to specify. ...
    (microsoft.public.windows.server.security)
  • Re: API for joining a computer to domain
    ... While Authenticated Users would by default have the ability to create up to ... right to create & join computer accounts and here were the ACLs we found ... Microsoft Online Community Support ... where an initial response from the community or a Microsoft Support ...
    (microsoft.public.platformsdk.security)