Re: Authentication Auditing

From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 10/21/05

• Next message: Brad Baker: "Re: password expiration policy for admin and system accounts ?"
• Previous message: Steven L Umbach: "Re: Group security"
• In reply to: Brad Baker: "Authentication Auditing"
• Next in thread: Brad Baker: "Re: Authentication Auditing"
• Reply: Brad Baker: "Re: Authentication Auditing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Fri, 21 Oct 2005 14:54:28 -0500

You have to enable auditing of "logon events" for the domain computers which
could be done in Domain Security Policy. Then you will see a type 2 logon
event recorded when a domain user logs onto the domain computer in that
domain computer's security log. The reason "audit logon events" does not
work for domain computers is because the account logon event is only
recorded on the computer that authenticates the user which is a domain
controller for domain users. --- Steve

"Brad Baker" <brad@nospam.nospam> wrote in message
news:e2vu5dn1FHA.164@TK2MSFTNGP10.phx.gbl...
> We are trying to ensure that we have auditing enabled for all login
> attempts
> to either domain or local machine accounts.
>
> I believe that we have enabled auditing for domain level accounts through
> GPO. We have enabled "audit account logon events" and "audit logon events"
> under Local Policies -> Audit Policy. I am seeing login attempts for
> domain
> accounts on our domain controller's security logs but I am not seeing
> login
> attempts for local accounts either in the domain controller's security
> logs
> or on the local machine security logs.
>
> How do we enable logging of authentication attempts against local (not
> domain) accounts? Is this another GPO setting? Are we looking in the wrong
> place? Alternatively, is there a setting at the local machine level that
> needs to be set? Any information or assistance would be appreciated.
>
> Thanks,
> Brad Baker
>

---

• Next message: Brad Baker: "Re: password expiration policy for admin and system accounts ?"
• Previous message: Steven L Umbach: "Re: Group security"
• In reply to: Brad Baker: "Authentication Auditing"
• Next in thread: Brad Baker: "Re: Authentication Auditing"
• Reply: Brad Baker: "Re: Authentication Auditing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Record of logins/logouts? ... > If you enable auditing of logon events, ... > Auditing of logon events has to be enabled on the computer via Local ... > Security Policy or possibly domain level if in a domain. ... (microsoft.public.windowsxp.general) Re: File that manages login details ... Just enable auditing of logon events and system events assuming your ... to see these events once you enable them in Local Security Policy ... >> Domain Controller Security Policy and logon events for Domain Security ... (microsoft.public.security) Re: File that manages login details ... As far as I know the auditing capabilities of XP Home are not configurable ... see if Event Viewer is available and if it is see if a security log exists ... Just enable auditing of logon events and system events assuming your ... (microsoft.public.security) Re: Terminal Services Auditing not working ... I followed your steps for auditting logon events to the T and it ... I make to the local security policy can't be overidden. ... Then using the Terminal Services Configuration tool I've right clicked ... (Focus-Microsoft) Re: How do I find out when user XXX logged in+out on last Tuesday? Event log entry possible? ... You can do that through the local security policy. ... In the right hand pane, right click on Audit logon events. ... (microsoft.public.windowsxp.help_and_support)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(10)