Link to home
Start Free TrialLog in
Avatar of gateguard
gateguard

asked on

How to turn on Domain Security Audits?

My security event log is empty on my domain controllers.  I have auditing (of many types of events, including logons) turned on both in Local Security Policy and Domain Security Policy.  My log size is set at 10048/rewrite-as-needed.  But it's completely empty!  System, application and other logs are working fine.

How do I make this domain start logging security events?

Avatar of chad
chad

you need to choose items to audit.
When you enable auditing it just allows it to be done.
http://support.microsoft.com/default.aspx?scid=kb;en-us;248260
http://support.microsoft.com/default.aspx?scid=kb;en-us;301640
http://support.microsoft.com/default.aspx?scid=kb;en-us;314955

The microsoft support website is a wealth of information.
Just enter in the items you are looking for in the search box on the left

  [audit network "HOW TO"] will return most of these results
www.support.microsoft.com
 hth
CHAD
Avatar of gateguard

ASKER

I've done all that stuff.  Including the group policy settings.

As far as I can see, security auditing is turned on in this domain.

And yet... the security log file is empty.

Is there a registry setting I can check somewhere?

Have you actually gone into the Folder structure and specified the file events to be audited (may be audited by user or group)..?

Here is a basic primer on auditing:

http://www.comptechdoc.org/os/windows/win2k/win2kauditing.html
I don't want to audit file access.  I want to audit logon successes and failures to the domain.

I'm reading the link you just provided.  Looks like I have to do something in Sites/Services.

Nope.  Nothing there.  It's done at the group policy level, in the default domain policy.  I've checked that a thousand times.

I even disabled event logging, rebooted, moved the security.evt file (basically forcing it to create a new one in case it's corrupt), re-enabled event logging, rebooted, still the same thing: empty security event log.

It should have my own logon success.  

It has nothing.

Avatar of Zaheer Iqbal
Hi @Poster,

Double check to see if teh audit service is running under services in administartive tools..

The one and only 1stITMAN
To enable auditing of Active Directory:

   1. Log on to Windows 2000 with an account that has Administrator rights, if you wish to give others set auditing rights see reference section below.
   2. Ensure the Group policy snap-in is installed, if it is not installed follow the directions to install it listed in the section below
   3. Start the Active Directory Users and Computers snap-in by clicking Start, pointing to Programs, and then pointing to Administrative Tools.
   4. On the View menu, click Advanced Features.
   5. Right-click the Domain Controllers container, and then click Properties.
   6. Click the Group Policy tab.
   7. Click Default Domain Controller Policy, and then click Edit.
   8. Double-click the following items to open them: Computer Configuration, Windows Settings, Security Settings, Local Policies, Audit Policy.
   9. In the right pane, open Audit Directory Services Access.
  10. Click the appropriate options: either Audit Successful Attempts, Audit Failed Attempts, or both.

http://support.microsoft.com/default.aspx?scid=kb;en-us;300549#3
ASKER CERTIFIED SOLUTION
Avatar of Fatal_Exception
Fatal_Exception
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Worked!
*grin*   fantastic..!!

And thanks..

FE