Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Rhinorhino on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Auditing in group policy problem

Status
Not open for further replies.
wardog25

wardog25

Technical User
Joined
Oct 24, 2003
Messages
129
Location
US
In my default domain policy, I set up auditing for both account management events and for logon events.

Account management events now show up in the security log, but I have yet to see a logon event. (has been weeks)

Setting auditing account logon events for failure should give me something when people type in the wrong password, correct? I've had people get their account locked out by typing it wrong over 5 times, but still have not seen any account logon events in the security log.

What's the deal?
 
Sort by date Sort by votes
Hi Wardog25,

Are you auditing ACCOUNT LOGON EVENTS or LOGON EVENTS?


Quote from ComputerPerformance.com

"Watch out for two similar and potentially confusing policies, 'Audit Account Logon events' and 'Audit Logon events'. The difference is that Audit Logon events (the shorter one) means that you are checking who is pressing Ctrl Alt, Del at the domain controller (or desktop); whereas the Audit Account Logon events (the longer one) generates an event every time a user connects to that server across the network".

Just a thought...

Patty [ponytails2]
 
Upvote 0 Downvote
Hmm, I didn't understand the difference between those two. But I'd actually turned them both on, just in case I had the wrong one. But even with both on, i don't get any logon events listed.

Thanks
 
Upvote 0 Downvote
Default Domain Controllers Policy has a predefined audit policy that explicitly disables auditing.

If this policy is being read last, it is overriding the settings in your Default Domain Policy.

You can either enable auditing for this category in Default Domain Controllers Policy or switch the policy to not defined.

Patty [ponytails2]
 
Upvote 0 Downvote
Hi Wardog25,

Did you get your auditing configured?


Patty [ponytails2]
 
Upvote 0 Downvote
I didn't realize the default domain controller policy was set like that. I changed it today, though, so hopefully once the the policy refreshes, the auditing will work correctly.

Thanks
 
Upvote 0 Downvote
Ok, now I have another question. What good is auditing account logon events? I'm supposed to audit failed attempts for security purposes, but it's not easy to pick through all the audits that show up every day. Seems like there are a lot of audit failures. But they aren't failed logons, because then the account would get locked out.

They say stuff like error 676 "pre-authentication failed" or something like that.

Are these things significant or commonplace?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

ravalos
  • Locked
  • Question Question
Problem with PDFs in IIS
Replies
1
Views
2K
gbaughma
gbaughma
rzammit82
  • Locked
  • Question Question
Windows Server 2016 - DNS/AD problem
Replies
1
Views
1K
suncit
suncit
Aquiles Vidal
  • Locked
  • Question Question
Web Browsers in Windows Server or Terminal Server
Replies
0
Views
918
Aquiles Vidal
Aquiles Vidal
andyferris
  • Locked
  • Question Question
DC Event logs auditing cannot be set by GPO
Replies
1
Views
474
RRankin355
RRankin355
nukeinfer
  • Locked
  • Question Question
Internet restrictions for isolated PCs in the Network
Replies
1
Views
904
mangentle
mangentle

Part and Inventory Search

Sponsor

Back
Top