Link to home
Create AccountLog in
Avatar of TermEcho
TermEchoFlag for United States of America

asked on

Active Directory Network - Security Logs are full

A couple of weeks ago I followed a link

http://sogeeky.blogspot.com/2006/07/how-to-audit-and-track-file-deletions.html

In order to see who deleted what files on my file server, however after having these settings for two days I started getting calls that when someone tried to login to a computer they got the message "Your system security log is full and to contact the Administrator". I removed the GPO object that I had created hoping that this would stop, but It has not. Normally I can have the users shut down there workstation then try to login again and sometimes that works, but more than anything I have to manually touch each computer and clear the security logs. How can I correct this and stop this annoying message?

Thanks,
ASKER CERTIFIED SOLUTION
Avatar of PeteJThomas
PeteJThomas
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
I don't quite understand how this happened though, as it seems you've enabled auditing for all your machines domain-wide as opposed to just the server you were checking? You may want to explain exactly what you did so we can understand how this happened in the first place.

Keep in mind that if you define the above setting at the domain level, it will probably affect your DCs and everything, which may not be what you want. Try to define it at a place where it will JUST affect the client machines and servers that you want it to...

HTH

Pete
Avatar of TermEcho

ASKER

On my Domain Controller I went to the properties of my domain (example: xyz.com). Under Group Policy tab I created a GPO Object named deleted files. Under Computer Configuration > Windows Setting > Security Settings > Local Policies > Audit Policy and I enabled Audit Object Access. Then this problem started.

Do you think if I set the Computer Configuration > Windows Settings > Security Settings > Event Log and define "Retention Method for Security Log" as 'Overwrite as needed' it will solve my issue?
Yes I do think it will fx it.

And that's where the problem came from too, you set it at your domain level, which probably means you edited the default domain policy, which will affect every single computer in your domain - Ideally, you would've just done this on the server that you wanted to audit (i.e. your file server for example) uding the local policy editor (gpedit.msc).

If it was actually a domain controller you wanted to audit, you could use the default domain controller policy, which just affects your DCs, not every single machine out there.

But yes, if you set that retention method policy, once the setting gets out to all the machines, they will just be able to overwrite the security logs, and should stop erroring and denying log on etc.

Any problems, just let me know!

Pete
?