Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 529
  • Last Modified:

registry settings for audit policies

Under the audit policies for the local user manager on each workstation, there are 7 events with success and failure options. I was trying to find the location of each of these events in the registry but was not able to. Do you have any ideas?
0
schurch122297
Asked:
schurch122297
1 Solution
 
cbo120897Commented:
You can use sysdiff.exe (ressource kit) to checkout, which changes where made in the registry.

1. PC without policie entrys
2. run sysdiff
3. make the policie entries
4. restart PC
5. run sysdiff again to find out the differences

bye

0
 
dlanssensCommented:
audit policies are stored in a special registry hive :

HKEY_LOCAL_MACHINE\Security\Policy\PolAdtEv

The values in this hive are modified by User Manager.

Normally, you don't have access to that registry hive, because it is being mapped to other parts of the registry, e.g. HKLM\Security\SAM is mapped to HKLM\SAM.
You can look at that hive however, but you will have to give yourself some extra rights.  As and Administrator, open REGEDT32.
Select the hive HKLM\Security, go to Security-Permissions in the menu, and add Administrators with Full control.

Do this at your own risk !!!!!!!  You will get no support from Microsoft if you mess up the registry.
0
 
schurch122297Author Commented:
thank you. i shall look into it.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now