Re: Authentication Auditing

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 10/22/05


Date: Fri, 21 Oct 2005 21:52:51 -0500

What may be happening is that another Group Policy has auditing defined for
logon events such as at the Organizational Unit Level. Use the support tool
gpresult to see what Group Policies are being applied to the computer. If
there is another GPO being applied then check the settings for that GPO to
see what it is for auditing and change it to suit your needs. If there is no
other domain/OU level GPO for that computer either there is a problem with
Group Policy processing on that computer or it has not propagated to that
computer yet. You could try a manual refresh of the Group Policy using the
command secedit /refreshpolicy machine_policy /enforce for a Windows 2000
computer or gpupdate /force for Windows 2003/XP Pro computers. If you use
gpupdate /force and it asks if you want to reboot you can select no for the
GP settings you are trying to refresh. If problems still persist you have a
deeper problem with Group Policy processing and the first place to look is
that the computer is configured to only use domain controllers as it's
preferred dns servers in tcp/ip properties and to run the support tool
netdiag on it to see if there are problems with network connectivity to
domain controllers, dns, dc discovery, or trust/secure channel. --- Steve

"Brad Baker" <brad@nospam.nospam> wrote in message
news:ev4OkJq1FHA.268@TK2MSFTNGP09.phx.gbl...
>> The failed logon for a "local" computer user for a domain computer would
>> only show in the security log of the domain computer itself - not the
>> domain controller assuming that auditing of logon events was indeed
>> enabled for that domain computer.
>
> Ok thats what I suspected however I am not seeing anything in the local
> computer security log either.
>
>
>> Check Local Security Policy of the computer in question to make sure that
>> it indeed does show that auditing of logon events is enabled for success
>> and failure. For Windows 2000 computers look at the effective setting.
>
> It is enabled but the effective setting dispalys as "No Auditing". Why?
> How do I correct this?
>
> The auditing of logon events is enabled for success and failure in the
> Domain Security Policy, so even if that was over riding the settings on
> the domain workstation, the auditing should be enabled, shouldn't it? What
> am I missing?
>
>
>
>> Then try clearing the current security log to make sure it is not full
>> and try again.
>
> I've done this. It didn't have any effect
>
>
>
> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> news:e1ujfpp1FHA.2348@TK2MSFTNGP15.phx.gbl...
>> The failed logon for a "local" computer user for a domain computer would
>> only show in the security log of the domain computer itself - not the
>> domain controller assuming that auditing of logon events was indeed
>> enabled for that domain computer. Check Local Security Policy of the
>> computer in question to make sure that it indeed does show that auditing
>> of logon events is enabled for success and failure. For Windows 2000
>> computers look at the effective setting. Then try clearing the current
>> security log to make sure it is not full and try again. Also try a
>> logging onto the local console for that computer to see if any logon
>> events are recorded or not. --- Steve
>>
>>
>>
>> "Brad Baker" <brad@nospam.nospam> wrote in message
>> news:uiKWQzn1FHA.3780@TK2MSFTNGP12.phx.gbl...
>>> Steven -
>>>
>>> I think I am either misunderstanding your answer or you aren't
>>> understanding my question :-) Perhaps an example would clarify.
>>>
>>> We have two domain controllers: DC1, DC2
>>> A whole bunch of domain workstations: IIS1, IIS2, IIS3
>>> All of the machines above are part of a domain - lets call it dom1.
>>>
>>> "Audit account logon events" and "Audit logon events" are enabled for
>>> success and failures in the domain security policy for dom1.
>>>
>>> Now lets say that I attempt to log into a secure website on IIS1 using
>>> the dom1\administrator account and it fails.
>>> I do see an event in the DC1 or DC2 security log. (So far so good)
>>>
>>> Now I attempt to log into the same secure website on IIS1 using
>>> IIS1\administrator.
>>> I don't see an event in DC1, DC2 or IIS1 security log. What do I need to
>>> do to make sure this event gets logged?
>>>
>>> Thanks!
>>> Brad Baker
>>>
>>>
>>>
>>> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
>>> news:F7CdnbW54LY82sTeRVn-uw@comcast.com...
>>>> You have to enable auditing of "logon events" for the domain computers
>>>> which could be done in Domain Security Policy. Then you will see a type
>>>> 2 logon event recorded when a domain user logs onto the domain computer
>>>> in that domain computer's security log. The reason "audit logon events"
>>>> does not work for domain computers is because the account logon event
>>>> is only recorded on the computer that authenticates the user which is a
>>>> domain controller for domain users. --- Steve
>>>>
>>>>
>>>> "Brad Baker" <brad@nospam.nospam> wrote in message
>>>> news:e2vu5dn1FHA.164@TK2MSFTNGP10.phx.gbl...
>>>>> We are trying to ensure that we have auditing enabled for all login
>>>>> attempts
>>>>> to either domain or local machine accounts.
>>>>>
>>>>> I believe that we have enabled auditing for domain level accounts
>>>>> through
>>>>> GPO. We have enabled "audit account logon events" and "audit logon
>>>>> events"
>>>>> under Local Policies -> Audit Policy. I am seeing login attempts for
>>>>> domain
>>>>> accounts on our domain controller's security logs but I am not seeing
>>>>> login
>>>>> attempts for local accounts either in the domain controller's security
>>>>> logs
>>>>> or on the local machine security logs.
>>>>>
>>>>> How do we enable logging of authentication attempts against local (not
>>>>> domain) accounts? Is this another GPO setting? Are we looking in the
>>>>> wrong
>>>>> place? Alternatively, is there a setting at the local machine level
>>>>> that
>>>>> needs to be set? Any information or assistance would be appreciated.
>>>>>
>>>>> Thanks,
>>>>> Brad Baker
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>



Relevant Pages

  • Re: Authentication Auditing
    ... > only show in the security log of the domain computer itself - not the ... > it indeed does show that auditing of logon events is enabled for success ... It is enabled but the effective setting dispalys as "No Auditing". ...
    (microsoft.public.win2000.security)
  • Re: User account Information
    ... About the best you can do natively is to look in the security log via Event ... Viewer making sure that auditing of logon events is enabled in Local ... I am using a Windows XP multiuser system. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: AUDIT LOGOFF
    ... Auditing of account logon events does not show logoffs while auditing of logon events ... If these are domain users, you will need to configure auditing of logon events ... on their computer and look in that computer's security log. ...
    (microsoft.public.win2000.security)
  • Re: Cannot modify audit policy
    ... My system event log is flooded with 538, ... I cannot change the settings under ... I want to disable auditing for these events but Group Policy Object Editor won't let me. ...
    (microsoft.public.windows.server.sbs)
  • Re: Monitor file system changes
    ... There is AD auditing, and then there's file system and other resource auditing. ... Audit logon events: Security Configuration Editor; ... If both account logon and logon audit policy categories are enabled, logons that use a domain account generate a logon or logoff event on ... ...
    (microsoft.public.windows.server.active_directory)