asked on
Windows 2003 Default Audit Logging
I just set up two Win2003 SP2 R2 Domain Controllers and enabled auditing for directory services access (S/F). However, the default logging for this is way to noisy and the customer does need this turned on to audit a few other items that I have added. There are a tremendous amount of 836/837 event id's being triggered (they were being triggered even before I made any changes). I have tried in a lab to find the object which is causing those events to fire but I cannot seem to find it. Does anyone know what/where to go in order to fine tune what AD is auditing and in particular the 836/837 event id's. Here is a sample of the 836/837 events.
836:
Event Type: Success Audit
Event Source: Security
Event Category: Directory Service Access
Event ID: 836
Date: 2/27/2009
Time: 6:14:31 PM
User: NT AUTHORITY\SYSTEM
Computer: W2K3-DC01
Description:
Destination DRA: CN=NTDS Settings,CN=W2K3-DC01,CN=S
Source DRA: CN=NTDS Settings,CN=W2K3-DC02,CN=S
Naming Context: DC=testing,DC=internal
Options: 19
Session ID: 10
Start USN: 20537
837:
Event Type: Success Audit
Event Source: Security
Event Category: Directory Service Access
Event ID: 837
Date: 2/27/2009
Time: 6:14:31 PM
User: NT AUTHORITY\SYSTEM
Computer: W2K3-DC01
Description:
Destination DRA: CN=NTDS Settings,CN=W2K3-DC01,CN=S
Source DRA: CN=NTDS Settings,CN=W2K3-DC02,CN=S
Naming Context: DC=testing,DC=internal
Options: 19
Session ID: 10
End USN: 20538
Status Code: 0
I have tried going to "ad sites & services" and removing all SACL's there but the alerts still occur. At this point I do not care about security. I just need to find the object that is causing the 836/837 to trigger and make adjustments from there. Please don't state, "just turn off success auditing for directory services" because I can't due to the customers needs.
836:
Event Type: Success Audit
Event Source: Security
Event Category: Directory Service Access
Event ID: 836
Date: 2/27/2009
Time: 6:14:31 PM
User: NT AUTHORITY\SYSTEM
Computer: W2K3-DC01
Description:
Destination DRA: CN=NTDS Settings,CN=W2K3-DC01,CN=S
Source DRA: CN=NTDS Settings,CN=W2K3-DC02,CN=S
Naming Context: DC=testing,DC=internal
Options: 19
Session ID: 10
Start USN: 20537
837:
Event Type: Success Audit
Event Source: Security
Event Category: Directory Service Access
Event ID: 837
Date: 2/27/2009
Time: 6:14:31 PM
User: NT AUTHORITY\SYSTEM
Computer: W2K3-DC01
Description:
Destination DRA: CN=NTDS Settings,CN=W2K3-DC01,CN=S
Source DRA: CN=NTDS Settings,CN=W2K3-DC02,CN=S
Naming Context: DC=testing,DC=internal
Options: 19
Session ID: 10
End USN: 20538
Status Code: 0
I have tried going to "ad sites & services" and removing all SACL's there but the alerts still occur. At this point I do not care about security. I just need to find the object that is causing the 836/837 to trigger and make adjustments from there. Please don't state, "just turn off success auditing for directory services" because I can't due to the customers needs.
Windows Server 2003
Last Comment
MightySW