Re: Domain logon auditting - need help

• Previous message: Steven L Umbach: "Re: Windows 2003 firewall"
• In reply to: Brian Wood: "Domain logon auditting - need help"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 22 Nov 2005 16:51:25 -0600

You would want to enable auditing of "account logon" events in domain
controller security policy and "logon" events in Domain Security Policy.
Then you will be able to see when the user logs onto his domain workstation.
To see both logon and logoff events you would have to look in the user's
workstation security log for type 2 logon events which indicate console
logon. Offhand I don't remember all the different even ID numbers but try
it out and you should see something going on when a user logs onto the
domain and make sure you increase the size of the security log quite a bit
[20MB or so maybe]. For Domain Controller Security Policy I suggest that you
audit "logon" events for failure only to keep down the noise in the
security logs otherwise all access of the sysvol share will generate tons of
logon events. --- Steve

"Brian Wood" <brianw@grangercci.com> wrote in message
news:usco2e47FHA.3804@TK2MSFTNGP12.phx.gbl...
> I'm trying to setup auditting so I can tell when a person logged on in the
> morning (we have some salaried people who mgmt thinks are not working
> their full 8 hours).
>
> Just to see when they login to the network in the morning, would I want to
> select "audit logon events" or "audit account logon events"?
>
> I setup this on one of our DC's with both, and am getting event IDs that
> are strange. Per research, it looks like a successful logon should give
> event ID 528 but I'm not getting any of those. I'm getting 538 and 540's,
> all throughout the day.
>
> Any help would be appreciated.
>

• Previous message: Steven L Umbach: "Re: Windows 2003 firewall"
• In reply to: Brian Wood: "Domain logon auditting - need help"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]