Re: startup/shutdown events not being logged

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 04/14/05 

Date: Wed, 13 Apr 2005 20:17:39 -0500

Hmm. It sure looks like your Group Policy is good. You might try clearing
the security log on one of those computers and rebooting it to see if
anything is recorded. I set my security logs to be at least 10MB. Below is
what I am getting in the "security" log of one of my XP Pro SP2 computers
after a reboot. --- Steve

Event Type: Success Audit
Event Source: Security
Event Category: System Event
Event ID: 513
Date: 4/13/2005
Time: 1:45:33 PM
User: NT AUTHORITY\SYSTEM
Computer: STEVE-XP
Description:
Windows is shutting down. All logon sessions will be terminated by this
shutdown

***********************************************************

Event Type: Success Audit
Event Source: Security
Event Category: System Event
Event ID: 514
Date: 4/13/2005
Time: 1:46:27 PM
User: NT AUTHORITY\SYSTEM
Computer: STEVE-XP
Description:
An authentication package has been loaded by the Local Security Authority.
This authentication package will be used to authenticate logon attempts.
 Authentication Package Name: D:\WINDOWS\system32\LSASRV.dll : Negotiate

<eric.hall@gmail.com> wrote in message
news:1113439138.187888.150700@f14g2000cwb.googlegroups.com...
> on Wed, 13 Apr 2005 18:04:43 -0500, "Steven L Umbach"
> <n...@nospam-comcast.net> wrote:
>
>>First make sure you are looking in the security log for those events
> in the
>>domain computers themselves.
>
> Yep, that's the problem. They show up in the 2003 server eventlog but
> not in ANY of the XP Pro workstations.
>
>>check Local Security Policy on one of the computers
>
> yeah, as I said policy appears to be propagating.
> http://www.ehsco.com/misc/localsec.gif shows that the local security
> policy widget sees that the value was set by a domain policy, so it
> should be working.
>
> Each of the workstations have a system eventlog, and the logs are full
> of system-like events from service control manager, TCP/IP, on-board
> devices, etc., but no "system" events like shutdown or anything. This
> has got me really flummoxed I must say.
>

Relevant Pages

  • Re: Basic Security Help
    ... > a network is weak or no passwords followed by malicious user on your ... Be sure to educate users of any pending changes to password policy ... > Windows Updates or using a SUS server to authorize and distribute security ... > network including how to isolate and repair infected computers. ...
    (microsoft.public.security)
  • Re: Preventing users from c onnecting to shares NOT on the domain..
    ... First condition would be to set "Require Security" policy to "Restricted ... These computers could be excluded by IP address, ... > The servers might be located on the same subnet of some of the clients. ...
    (microsoft.public.win2000.networking)
  • Re: Preventing users from c onnecting to shares NOT on the domain..
    ... First condition would be to set "Require Security" policy to "Restricted ... These computers could be excluded by IP address, ... > The servers might be located on the same subnet of some of the clients. ...
    (microsoft.public.win2000.security)
  • Re: Blocking port scans on local network
    ... > additional restrictions for anonymous connections in this security guide. ... > do not recommend applying ipsec policy wide scale without some testing of ... > between domain computers and domain controllers as the domain controllers ...
    (microsoft.public.win2000.security)
  • Re: Server refreshes its security policy with wrong values
    ... events in the security log for policy change. ... about enabling file access audit for these using the audit feature NTFS ...
    (microsoft.public.windows.server.security)