Solved

How to turn on Domain Security Audits?

Posted on 2004-03-24
11
409 Views
Last Modified: 2010-04-13
My security event log is empty on my domain controllers.  I have auditing (of many types of events, including logons) turned on both in Local Security Policy and Domain Security Policy.  My log size is set at 10048/rewrite-as-needed.  But it's completely empty!  System, application and other logs are working fine.

How do I make this domain start logging security events?

0
Comment
Question by:gateguard
  • 4
  • 3
  • 3
  • +1
11 Comments
 
LVL 11

Expert Comment

by:kabaam
Comment Utility
you need to choose items to audit.
When you enable auditing it just allows it to be done.
0
 
LVL 11

Expert Comment

by:kabaam
Comment Utility
http://support.microsoft.com/default.aspx?scid=kb;en-us;248260
http://support.microsoft.com/default.aspx?scid=kb;en-us;301640
http://support.microsoft.com/default.aspx?scid=kb;en-us;314955

The microsoft support website is a wealth of information.
Just enter in the items you are looking for in the search box on the left

  [audit network "HOW TO"] will return most of these results
www.support.microsoft.com
 hth
CHAD
0
 

Author Comment

by:gateguard
Comment Utility
I've done all that stuff.  Including the group policy settings.

As far as I can see, security auditing is turned on in this domain.

And yet... the security log file is empty.

Is there a registry setting I can check somewhere?

0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
Have you actually gone into the Folder structure and specified the file events to be audited (may be audited by user or group)..?

Here is a basic primer on auditing:

http://www.comptechdoc.org/os/windows/win2k/win2kauditing.html
0
 

Author Comment

by:gateguard
Comment Utility
I don't want to audit file access.  I want to audit logon successes and failures to the domain.

I'm reading the link you just provided.  Looks like I have to do something in Sites/Services.

0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:gateguard
Comment Utility
Nope.  Nothing there.  It's done at the group policy level, in the default domain policy.  I've checked that a thousand times.

I even disabled event logging, rebooted, moved the security.evt file (basically forcing it to create a new one in case it's corrupt), re-enabled event logging, rebooted, still the same thing: empty security event log.

It should have my own logon success.  

It has nothing.

0
 
LVL 19

Expert Comment

by:Zaheer Iqbal
Comment Utility
Hi @Poster,

Double check to see if teh audit service is running under services in administartive tools..

The one and only 1stITMAN
0
 
LVL 11

Expert Comment

by:kabaam
Comment Utility
To enable auditing of Active Directory:

   1. Log on to Windows 2000 with an account that has Administrator rights, if you wish to give others set auditing rights see reference section below.
   2. Ensure the Group policy snap-in is installed, if it is not installed follow the directions to install it listed in the section below
   3. Start the Active Directory Users and Computers snap-in by clicking Start, pointing to Programs, and then pointing to Administrative Tools.
   4. On the View menu, click Advanced Features.
   5. Right-click the Domain Controllers container, and then click Properties.
   6. Click the Group Policy tab.
   7. Click Default Domain Controller Policy, and then click Edit.
   8. Double-click the following items to open them: Computer Configuration, Windows Settings, Security Settings, Local Policies, Audit Policy.
   9. In the right pane, open Audit Directory Services Access.
  10. Click the appropriate options: either Audit Successful Attempts, Audit Failed Attempts, or both.

http://support.microsoft.com/default.aspx?scid=kb;en-us;300549#3
0
 
LVL 40

Accepted Solution

by:
Fatal_Exception earned 500 total points
Comment Utility
Ok..  I believe this is the answer..  The audit policy in Default Domain Controllers Policy is overriding the audit policy in Default Domain Policy....  after reading the following, it clicked and made sense..  should have picked up on it right away...  Hopefully it will help you too..

http://www.winnetmag.com/Article/ArticleID/21295/Windows_21295.html

To start auditing account logon events, you can either enable auditing for this category in Default Domain Controllers Policy or switch the policy to not defined, in which case Default Domain Policy will be the only GPO specifying an audit policy.

The difference between Audit logon events and Audit account logon events is where Win2K tracks and records the logon events. Audit logon events tracks and records events at the workstation, whereas Audit account logon events tracks and records events centrally at your DC. (Audit account logon events also shows the low-level Kerberos logon details.) For more information, see my Windows 2000 Magazine article "Audit Account Logon Events" (March 2001).

FE
0
 

Author Comment

by:gateguard
Comment Utility
Worked!
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
*grin*   fantastic..!!

And thanks..

FE
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now