Re: Auditing ?

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 05/25/05

• Next message: Roger Abell: "Re: Running programs for non-previleged users on XP"
• Previous message: Roger Abell: "Re: Question on Local Security Policy"
• In reply to: Drumgod: "Auditing ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Tue, 24 May 2005 18:39:50 -0700

Authenticated Users contains all accounts, of people and machines, that
use an authentication method to establish a logged on session.
System is the local name for the machine's account.
You should determine what it is you are being asked to audit,
If it is all access, then you should use Everyone.
If it is all access by our people, then you could consider Domain Users
and Administrators (which will exclude local accounts and machines).

-- 
Roger Abell
Microsoft MVP (Windows  Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"Drumgod" <Drumgod@discussions.microsoft.com> wrote in message
news:E42DFDBA-DFB2-4CDD-B558-154BDF131499@microsoft.com...
> All,
>
> I am configuring an audit policy for my network. Security is pretty tight
> here and they are requreing me to audit the entire C: drive for object
> access. I am currently auditing the user group 'Authenticated Users' for
> Success/Failure on the following:
>
> Create Files / Write Data
> Create Folders / Append Data
> Delete
>
> Now this works as expected, but its also producing object access events
with
> the username of 'System'.
>
> I do NOT want to audit system events. Is the system part of the
> authenticated users group, and if so , what group should i be auditing (on
my
> domain).
>
> I have disable the GPO object to audit system events. Computer
> Configurations | Windows Settings | Security Settings | Local Policies |
> Audit Policy | Audit System Events is set to "No Auditing".  I am doing
this
> a the domain root and im only a single domain. No connection to any other
> domains at all. But im still getting events for object access by the
'system'
> account. This is obviusly filling up my security logs rather quickly, and
I
> dont care what the system is doing.
>
> Anyone know what im doing wrong on this ? How do i get rid of the object
> access from the system?
>
> TIA
>
> Drum on .. ... . . .

---

• Next message: Roger Abell: "Re: Running programs for non-previleged users on XP"
• Previous message: Roger Abell: "Re: Question on Local Security Policy"
• In reply to: Drumgod: "Auditing ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Repost: Local logon and Network Access settings ... think require network login since they are over the wire do in fact ... In the default situation, Authenticated Users ... is a member of User on a member machine, and, Users are granted ... user accounts that should be allowed to log into the machines in SomeOU. ... (microsoft.public.windows.group_policy) Re: windows new users? ... the 2 accounts that I mentioned abv is some username ... "userS" in the account name and they are security principal identifier ... those without the Authenticated Users group will hit into a brick wall! ... (microsoft.public.windowsxp.setup_deployment) Re: windows new users? ... doesn't use any accounts at all. ... To login and fulfill the remote assistance, ... those without the Authenticated Users group will hit into a brick wall! ... (microsoft.public.windowsxp.setup_deployment) RE: GPO not being applied to OU ... accounts as well. ... member of the authenticated users group. ... "visiting users" from another OU would have permission to have the GPO ... the users OU...only user settings will affect that OU and its users, ... (microsoft.public.windows.group_policy)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.win2000.security  > 2005-05