Solved

User cannot logon on their computers because security log is full

Posted on 2011-09-23
10
1,003 Views
Last Modified: 2012-05-12
Hi Experts,

Today I faced a weird problem with a client's active directory network. Because of a problem with replication, all sysvol content was deleted. After that all policies stopped to be applied at the computers. This was expected. Unexpected was the fact that no one could log in in their computers because of the following error:

The security log on this system is full

The error appears as a message box before user logon input. Users are not member of local admins, so they can't logon at all.

There is no GPO that enforces Logs configuration at the computers for retention or rotation at all. The only configuration we have in Domain is that Default Domain Policy sets some Audit Policies (sucess an failure for most events).

It's a fact that we are logging a lot of events at computers (much of them I know is useless. we will fix it soon). The Security Logs at the computers might be full or very close to its storage capacity. But we can't have it as the root cause of the problem since when domain policies were fixed, the error message gone away, users can login and security log keeps been filled up.

What is worse is that many users tried to logon this morning at the company's network with their laptops. As they couldn't logon, because of the security log error, they went back home and tried to work through vpn. Unfortunately when they started their laptops, the error message appeared again and didn't let them to log in to the computer.

These outside users came with a problem that we couldn't solve. They don't have local admins rights and we couldn't logon to their computers with our domain admins credentials because they were working from home. If someone asks "why dind't we give local admin's password to these users and instruct them to logon locally and fix the problem? Because we are not allowed to do that. All computers at the domain share the same local admin password. If we give it to one user, we have to change it all over the domain that span 3 different countries.

Anyone has any idea why this problem happened? In other words, If GPO fails to be applied at computer level, the security log issue doesn't let users to login on.

Thanks!

Rodrigo Garcone
0
Comment
Question by:garconer
  • 6
  • 3
10 Comments
 
LVL 24

Expert Comment

by:Sandeshdubey
Comment Utility
Use Group Policy to Set Your Application,security and System Log Security in default domain policy.Once this is set the user will not face login issue when the event log gets full on the worksation.

Location
Default Domain policy\Computer Configuration\Windows Settings\Security Settings\Event Log

Policy                                                          Setting
Maximum application log size                 10240 kilobytes
Maximum security log size                     10240 kilobytes
Maximum system log size                       10240 kilobytes
Retention method for application log           As needed
Retention method for security log               As needed
Retention method for system log                As needed




0
 

Author Comment

by:garconer
Comment Utility
Sandes,

Tks for the reply but this is not the answer for the question. I know this settings you presented and it has been done. The issue is if gpo fail to be applied, even with the settings you suggested configured at gpo level, the security log error occurs
0
 
LVL 11

Expert Comment

by:Ackles
Comment Utility
0
 
LVL 11

Expert Comment

by:Ackles
Comment Utility
0
 
LVL 11

Expert Comment

by:Ackles
Comment Utility
Since you have problem with sysvol replication, you will have to do it on computers locally.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:garconer
Comment Utility
Hi Ackles,

Tks for the reply. The question is not related on how to configure Security Logs locally or using GPO. I know how to do that.

The question is why when gpo fails to be applied the log is full message appears and block users from log in to their computers.
0
 
LVL 11

Expert Comment

by:Ackles
Comment Utility
Hi,
As you know that GPO get's applied at time scheduel which is either setup as default or specified via GP.
Now there are also Security GPO's which are applied even if there has nothing changed, I mean you are aware that only when there is a change in GPO they get applied, however Security GPO's are always applied even if there is no change. This might be the reason as Audit & other policies fail to apply & in turn fill up the logs.

Does that make sense?

A
0
 
LVL 11

Accepted Solution

by:
Ackles earned 500 total points
Comment Utility
0
 

Author Comment

by:garconer
Comment Utility
Yes, it makes a lot of sense. That's answer the question. tks!
0
 
LVL 11

Expert Comment

by:Ackles
Comment Utility
Glad that helped, Thanks for points!
A
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

This is my first article in EE and english is not my mother tongue so any comments you have or any corrections you would like to make, please feel free to speak up :) For those of you working with AD, you already are very familiar with the classi…
I know all systems administrator at some time or another has had to create a script to copy file from a server share to a desktop. Well now there is an easy way to do this in Group Policy. Using Group policy preferences is not hard. The first thing …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now