Re: Object Access Audit Policy for a Domain

Good. The alphabet strudle is sometimes necessary to separate out
the involved factors. I see by this post you are now using GPO linked
to Domain instead of Domain Controllers OU.

--
Roger Abell
Microsoft MVP (Windows Server : Security)
MCDBA, MCSE W2k3+W2k+Nt4
"Tom Glasser" <TomGlasser@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:8931ED99-4680-4E53-84AE-90FDBD8D63D3@xxxxxxxxxxxxxxxx
Roger,

Update to my earlier response:
It appears that my Domain policy change finally "percolated" down to my
local server. Not sure what the trigger or timing is on this, but it
seemed
to take a while! Also, since the change involved "undoing" a policy
setting,
those check boxes on the local server are no longer grayed-out.

I'm going to continue testing and sorting this all out.

Thanks,
Tom

"Roger Abell [MVP]" wrote:

Either bad info in that book or it was misread.
Setting that policy and audit SACL(s) in a GPO linked to the
DCs OU will cause the DCs to cut audit events for accesses
made on the DCs to resources that are part of the DCs (that
meet the SACL criteria). That is all.
Setting the policy to audit object access in a GPO linked to
the domain will make that setting on all machines of the domain
to which it is applied. However, audit events are still controlled
by what SACLs say should be auditied (and most people do not
set SACLs using GPOs), and when the event messages are cut
to the log these are on the machine where triggered (where the
SACL'd resources are).

"Tom Glasser" <TomGlasser@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:0920CC9F-28D3-405D-8EEA-0BE3DD6BA024@xxxxxxxxxxxxxxxx
I am trying to figure out how Audit policies work. I got an "object
access"
policy to work on a local server (call it Server 1). Specified changes
in
a
certain folder would show up in the Security Event Log of that server.
But
then I tried to implement the policy on the Domain Controller for the
entire
domain. A book I have says the folder events (on Server 1) should then
show
up in the Security Event Log on the Domain Controller. But I am not
seeing
the expected events getting logged. Any thoughts ??

Thanks,
Tom





.

Relevant Pages

  • Re: Object Access Audit Policy for a Domain
    ... Setting that policy and audit SACLin a GPO linked to the ... DCs OU will cause the DCs to cut audit events for accesses ... policy to work on a local server. ...
    (microsoft.public.win2000.security)
  • Re: DC Demotion
    ... Group Policies are applied in the following order: ... Resultant Set of Policies in the Group Policy Management Console (free ... MVP Windows Server - Networking ... > the DC role and attached the machine to the new DCs and domain. ...
    (microsoft.public.windows.server.active_directory)
  • Domain Controller Security Policy errors
    ... Security Policy or the Domain Controller Security Policy. ... The DC is also a print and file server. ... The domain controller for Group Policy operations is not available. ...
    (microsoft.public.win2000.active_directory)
  • RE: Cant set Local Security policies. They fail to save
    ... predefined Security Template on SBS 2003 to restore security groups ... run "gpupdate.exe /force" under command prompt to force the policy ... reboot the Server to test. ... and then logon to client computer to test if user can save system logs. ...
    (microsoft.public.windows.server.sbs)
  • Re: Security Logon/Logoff Events
    ... I haven't yet set password policy or configured account lockout policy so I ... will do that in due course to fully secure the server. ...
    (microsoft.public.windows.server.sbs)