How to turn on Domain Security Audits?

My security event log is empty on my domain controllers.  I have auditing (of many types of events, including logons) turned on both in Local Security Policy and Domain Security Policy.  My log size is set at 10048/rewrite-as-needed.  But it's completely empty!  System, application and other logs are working fine.

How do I make this domain start logging security events?

gateguardAsked:
Who is Participating?
 
Fatal_ExceptionSystems EngineerCommented:
Ok..  I believe this is the answer..  The audit policy in Default Domain Controllers Policy is overriding the audit policy in Default Domain Policy....  after reading the following, it clicked and made sense..  should have picked up on it right away...  Hopefully it will help you too..

http://www.winnetmag.com/Article/ArticleID/21295/Windows_21295.html

To start auditing account logon events, you can either enable auditing for this category in Default Domain Controllers Policy or switch the policy to not defined, in which case Default Domain Policy will be the only GPO specifying an audit policy.

The difference between Audit logon events and Audit account logon events is where Win2K tracks and records the logon events. Audit logon events tracks and records events at the workstation, whereas Audit account logon events tracks and records events centrally at your DC. (Audit account logon events also shows the low-level Kerberos logon details.) For more information, see my Windows 2000 Magazine article "Audit Account Logon Events" (March 2001).

FE
0
 
chadCommented:
you need to choose items to audit.
When you enable auditing it just allows it to be done.
0
 
chadCommented:
http://support.microsoft.com/default.aspx?scid=kb;en-us;248260
http://support.microsoft.com/default.aspx?scid=kb;en-us;301640
http://support.microsoft.com/default.aspx?scid=kb;en-us;314955

The microsoft support website is a wealth of information.
Just enter in the items you are looking for in the search box on the left

  [audit network "HOW TO"] will return most of these results
www.support.microsoft.com
 hth
CHAD
0
Cloud Class® Course: CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

 
gateguardAuthor Commented:
I've done all that stuff.  Including the group policy settings.

As far as I can see, security auditing is turned on in this domain.

And yet... the security log file is empty.

Is there a registry setting I can check somewhere?

0
 
Fatal_ExceptionSystems EngineerCommented:
Have you actually gone into the Folder structure and specified the file events to be audited (may be audited by user or group)..?

Here is a basic primer on auditing:

http://www.comptechdoc.org/os/windows/win2k/win2kauditing.html
0
 
gateguardAuthor Commented:
I don't want to audit file access.  I want to audit logon successes and failures to the domain.

I'm reading the link you just provided.  Looks like I have to do something in Sites/Services.

0
 
gateguardAuthor Commented:
Nope.  Nothing there.  It's done at the group policy level, in the default domain policy.  I've checked that a thousand times.

I even disabled event logging, rebooted, moved the security.evt file (basically forcing it to create a new one in case it's corrupt), re-enabled event logging, rebooted, still the same thing: empty security event log.

It should have my own logon success.  

It has nothing.

0
 
Zaheer IqbalTechnical Assurance & ImplementationCommented:
Hi @Poster,

Double check to see if teh audit service is running under services in administartive tools..

The one and only 1stITMAN
0
 
chadCommented:
To enable auditing of Active Directory:

   1. Log on to Windows 2000 with an account that has Administrator rights, if you wish to give others set auditing rights see reference section below.
   2. Ensure the Group policy snap-in is installed, if it is not installed follow the directions to install it listed in the section below
   3. Start the Active Directory Users and Computers snap-in by clicking Start, pointing to Programs, and then pointing to Administrative Tools.
   4. On the View menu, click Advanced Features.
   5. Right-click the Domain Controllers container, and then click Properties.
   6. Click the Group Policy tab.
   7. Click Default Domain Controller Policy, and then click Edit.
   8. Double-click the following items to open them: Computer Configuration, Windows Settings, Security Settings, Local Policies, Audit Policy.
   9. In the right pane, open Audit Directory Services Access.
  10. Click the appropriate options: either Audit Successful Attempts, Audit Failed Attempts, or both.

http://support.microsoft.com/default.aspx?scid=kb;en-us;300549#3
0
 
gateguardAuthor Commented:
Worked!
0
 
Fatal_ExceptionSystems EngineerCommented:
*grin*   fantastic..!!

And thanks..

FE
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.