Re: auditing question
From: djc (noone_at_nowhere.com)
Date: 05/19/04
- Previous message: Joe Richards [MVP]: "Re: Lockout administrator account"
- In reply to: Marin Marinov: "Re: auditing question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 19 May 2004 10:49:24 -0400
Great info. Thank you very much. I am the detailed type so nothing is too
long or detailed for me! Whatever it takes to understand.
"Marin Marinov" <mlmarinov@askme.ca> wrote in message
news:MPG.1b144d99fafee81e9897d9@msnews.microsoft.com...
> <snip>
> You're pretty much on the right track ;)
>
> 1)
> "Account logon" events are generated in the Security log of the machine
> performing the authentication, i.e. the one that has access to the
> accounts (thus "account" logon).For domain accounts this would be the
> authenticating DC, for local - the local machine:
>
> http://tinyurl.com/2zg73
>
> "Logon" events are generated in the Security log of the machine which
> you access to consume resources, regardless of where your account
> resides:
>
> http://tinyurl.com/34osj
>
> <boring technical details>
> A so called "access token" is built when you access a resource. Every
> access to a resource on another machine (share,printer,etc) results in
> you being authenticated before this machine so it knows who you are and
> what security to apply. For it to successfully control your access, the
> machine builds an access token containing you and all the groups you
> belong to. This token is then used when the machine "impersonates" you
> when you request access to resources. "Audit logon events" monitors the
> creation of the *access token*, "Audit account logon" monitors the
> *authentication* of the user account.
> </boring technical details>
>
> 2) In your case, yes, you have to use it in combination with "Audit
> object access". Remember, that authentication against the server
> succeeded - it has created an access token for you, impersonated you
> trying to access the share, and received access denied due to
> insufficient permissions. But "logon" succeeded.
>
> For example, if you deny logon locally on a machine to a domain user and
> try to log on with that user you'll end up with:
> -"Audit account logon"-resulting success event in the DC's Security log
> -"Audit logon"-resulting failure event in the machine's Security log.
>
> And if you've read this far I hope this cleared the matter ;) Let me
> know if I got too carried away and blurred the essence.
>
> HTH
> --
> Cheers,
> Marin Marinov
> MCT, MCSE 2003/2000/NT4.0,
> MCSE:Security 2003/2000, MCP+I
> -
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
- Previous message: Joe Richards [MVP]: "Re: Lockout administrator account"
- In reply to: Marin Marinov: "Re: auditing question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
