Solved

How to turn on Domain Security Audits?

Posted on 2004-03-24
11
411 Views
Last Modified: 2010-04-13
My security event log is empty on my domain controllers.  I have auditing (of many types of events, including logons) turned on both in Local Security Policy and Domain Security Policy.  My log size is set at 10048/rewrite-as-needed.  But it's completely empty!  System, application and other logs are working fine.

How do I make this domain start logging security events?

0
Comment
Question by:gateguard
  • 4
  • 3
  • 3
  • +1
11 Comments
 
LVL 11

Expert Comment

by:kabaam
ID: 10671830
you need to choose items to audit.
When you enable auditing it just allows it to be done.
0
 
LVL 11

Expert Comment

by:kabaam
ID: 10671878
http://support.microsoft.com/default.aspx?scid=kb;en-us;248260
http://support.microsoft.com/default.aspx?scid=kb;en-us;301640
http://support.microsoft.com/default.aspx?scid=kb;en-us;314955

The microsoft support website is a wealth of information.
Just enter in the items you are looking for in the search box on the left

  [audit network "HOW TO"] will return most of these results
www.support.microsoft.com
 hth
CHAD
0
 

Author Comment

by:gateguard
ID: 10672095
I've done all that stuff.  Including the group policy settings.

As far as I can see, security auditing is turned on in this domain.

And yet... the security log file is empty.

Is there a registry setting I can check somewhere?

0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10672156
Have you actually gone into the Folder structure and specified the file events to be audited (may be audited by user or group)..?

Here is a basic primer on auditing:

http://www.comptechdoc.org/os/windows/win2k/win2kauditing.html
0
 

Author Comment

by:gateguard
ID: 10672197
I don't want to audit file access.  I want to audit logon successes and failures to the domain.

I'm reading the link you just provided.  Looks like I have to do something in Sites/Services.

0
 

Author Comment

by:gateguard
ID: 10672245
Nope.  Nothing there.  It's done at the group policy level, in the default domain policy.  I've checked that a thousand times.

I even disabled event logging, rebooted, moved the security.evt file (basically forcing it to create a new one in case it's corrupt), re-enabled event logging, rebooted, still the same thing: empty security event log.

It should have my own logon success.  

It has nothing.

0
 
LVL 19

Expert Comment

by:Zaheer Iqbal
ID: 10672392
Hi @Poster,

Double check to see if teh audit service is running under services in administartive tools..

The one and only 1stITMAN
0
 
LVL 11

Expert Comment

by:kabaam
ID: 10672408
To enable auditing of Active Directory:

   1. Log on to Windows 2000 with an account that has Administrator rights, if you wish to give others set auditing rights see reference section below.
   2. Ensure the Group policy snap-in is installed, if it is not installed follow the directions to install it listed in the section below
   3. Start the Active Directory Users and Computers snap-in by clicking Start, pointing to Programs, and then pointing to Administrative Tools.
   4. On the View menu, click Advanced Features.
   5. Right-click the Domain Controllers container, and then click Properties.
   6. Click the Group Policy tab.
   7. Click Default Domain Controller Policy, and then click Edit.
   8. Double-click the following items to open them: Computer Configuration, Windows Settings, Security Settings, Local Policies, Audit Policy.
   9. In the right pane, open Audit Directory Services Access.
  10. Click the appropriate options: either Audit Successful Attempts, Audit Failed Attempts, or both.

http://support.microsoft.com/default.aspx?scid=kb;en-us;300549#3
0
 
LVL 40

Accepted Solution

by:
Fatal_Exception earned 500 total points
ID: 10672724
Ok..  I believe this is the answer..  The audit policy in Default Domain Controllers Policy is overriding the audit policy in Default Domain Policy....  after reading the following, it clicked and made sense..  should have picked up on it right away...  Hopefully it will help you too..

http://www.winnetmag.com/Article/ArticleID/21295/Windows_21295.html

To start auditing account logon events, you can either enable auditing for this category in Default Domain Controllers Policy or switch the policy to not defined, in which case Default Domain Policy will be the only GPO specifying an audit policy.

The difference between Audit logon events and Audit account logon events is where Win2K tracks and records the logon events. Audit logon events tracks and records events at the workstation, whereas Audit account logon events tracks and records events centrally at your DC. (Audit account logon events also shows the low-level Kerberos logon details.) For more information, see my Windows 2000 Magazine article "Audit Account Logon Events" (March 2001).

FE
0
 

Author Comment

by:gateguard
ID: 10688034
Worked!
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10688100
*grin*   fantastic..!!

And thanks..

FE
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Adprep 12 73
NT Print server: Should be able to print? 1 605
Windows 2000 Sever Lab Setup 1 677
How to install Windows 2000 network drivers 4 110
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
As a business owner, there are many things that keep you up at night. Profit margins, employee retention, human resource protocols, whether your product or service will remain competitive. When you own or manage a technology company that operates la…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question