Re: Authentication Auditing

From: Brad Baker (brad_at_nospam.nospam)
Date: 10/22/05

  • Next message: Steven L Umbach: "Re: Authentication Auditing"
    Date: Fri, 21 Oct 2005 20:48:53 -0400
    
    

    > The failed logon for a "local" computer user for a domain computer would
    > only show in the security log of the domain computer itself - not the
    > domain controller assuming that auditing of logon events was indeed
    > enabled for that domain computer.

    Ok thats what I suspected however I am not seeing anything in the local
    computer security log either.

    > Check Local Security Policy of the computer in question to make sure that
    > it indeed does show that auditing of logon events is enabled for success
    > and failure. For Windows 2000 computers look at the effective setting.

    It is enabled but the effective setting dispalys as "No Auditing". Why? How
    do I correct this?

    The auditing of logon events is enabled for success and failure in the
    Domain Security Policy, so even if that was over riding the settings on the
    domain workstation, the auditing should be enabled, shouldn't it? What am I
    missing?

    > Then try clearing the current security log to make sure it is not full and
    > try again.

    I've done this. It didn't have any effect

    "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
    news:e1ujfpp1FHA.2348@TK2MSFTNGP15.phx.gbl...
    > The failed logon for a "local" computer user for a domain computer would
    > only show in the security log of the domain computer itself - not the
    > domain controller assuming that auditing of logon events was indeed
    > enabled for that domain computer. Check Local Security Policy of the
    > computer in question to make sure that it indeed does show that auditing
    > of logon events is enabled for success and failure. For Windows 2000
    > computers look at the effective setting. Then try clearing the current
    > security log to make sure it is not full and try again. Also try a logging
    > onto the local console for that computer to see if any logon events are
    > recorded or not. --- Steve
    >
    >
    >
    > "Brad Baker" <brad@nospam.nospam> wrote in message
    > news:uiKWQzn1FHA.3780@TK2MSFTNGP12.phx.gbl...
    >> Steven -
    >>
    >> I think I am either misunderstanding your answer or you aren't
    >> understanding my question :-) Perhaps an example would clarify.
    >>
    >> We have two domain controllers: DC1, DC2
    >> A whole bunch of domain workstations: IIS1, IIS2, IIS3
    >> All of the machines above are part of a domain - lets call it dom1.
    >>
    >> "Audit account logon events" and "Audit logon events" are enabled for
    >> success and failures in the domain security policy for dom1.
    >>
    >> Now lets say that I attempt to log into a secure website on IIS1 using
    >> the dom1\administrator account and it fails.
    >> I do see an event in the DC1 or DC2 security log. (So far so good)
    >>
    >> Now I attempt to log into the same secure website on IIS1 using
    >> IIS1\administrator.
    >> I don't see an event in DC1, DC2 or IIS1 security log. What do I need to
    >> do to make sure this event gets logged?
    >>
    >> Thanks!
    >> Brad Baker
    >>
    >>
    >>
    >> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
    >> news:F7CdnbW54LY82sTeRVn-uw@comcast.com...
    >>> You have to enable auditing of "logon events" for the domain computers
    >>> which could be done in Domain Security Policy. Then you will see a type
    >>> 2 logon event recorded when a domain user logs onto the domain computer
    >>> in that domain computer's security log. The reason "audit logon events"
    >>> does not work for domain computers is because the account logon event is
    >>> only recorded on the computer that authenticates the user which is a
    >>> domain controller for domain users. --- Steve
    >>>
    >>>
    >>> "Brad Baker" <brad@nospam.nospam> wrote in message
    >>> news:e2vu5dn1FHA.164@TK2MSFTNGP10.phx.gbl...
    >>>> We are trying to ensure that we have auditing enabled for all login
    >>>> attempts
    >>>> to either domain or local machine accounts.
    >>>>
    >>>> I believe that we have enabled auditing for domain level accounts
    >>>> through
    >>>> GPO. We have enabled "audit account logon events" and "audit logon
    >>>> events"
    >>>> under Local Policies -> Audit Policy. I am seeing login attempts for
    >>>> domain
    >>>> accounts on our domain controller's security logs but I am not seeing
    >>>> login
    >>>> attempts for local accounts either in the domain controller's security
    >>>> logs
    >>>> or on the local machine security logs.
    >>>>
    >>>> How do we enable logging of authentication attempts against local (not
    >>>> domain) accounts? Is this another GPO setting? Are we looking in the
    >>>> wrong
    >>>> place? Alternatively, is there a setting at the local machine level
    >>>> that
    >>>> needs to be set? Any information or assistance would be appreciated.
    >>>>
    >>>> Thanks,
    >>>> Brad Baker
    >>>>
    >>>
    >>>
    >>
    >>
    >
    >


  • Next message: Steven L Umbach: "Re: Authentication Auditing"

    Relevant Pages

    • Re: Authentication Auditing
      ... What may be happening is that another Group Policy has auditing defined for ... logon events such as at the Organizational Unit Level. ... see what it is for auditing and change it to suit your needs. ... >> Then try clearing the current security log to make sure it is not full ...
      (microsoft.public.win2000.security)
    • Re: User account Information
      ... About the best you can do natively is to look in the security log via Event ... Viewer making sure that auditing of logon events is enabled in Local ... I am using a Windows XP multiuser system. ...
      (microsoft.public.windowsxp.security_admin)
    • Re: AUDIT LOGOFF
      ... Auditing of account logon events does not show logoffs while auditing of logon events ... If these are domain users, you will need to configure auditing of logon events ... on their computer and look in that computer's security log. ...
      (microsoft.public.win2000.security)
    • Re: Monitor file system changes
      ... There is AD auditing, and then there's file system and other resource auditing. ... Audit logon events: Security Configuration Editor; ... If both account logon and logon audit policy categories are enabled, logons that use a domain account generate a logon or logoff event on ... ...
      (microsoft.public.windows.server.active_directory)
    • Re: Audit Failures/READ_CONTROL SYNCHRONIZE
      ... You're auditing File and Object Access; you've enabled Auditing on the files ... and you're complaining about audit events ... You can't mask events out of the security log in Event Viewer. ... > Client Domain: HEX21 ...
      (comp.os.ms-windows.nt.admin.security)