• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 414
  • Last Modified:

Auditing - RSOP

We just setup a new GPO and enabled auditing on a couple of our servers.  My question really is how do I verify/test this is working properly.  We wanted to document/audit when certain changes occur on the network such as; modification of folders, who logs onto one of these servers and the normal auditing in general.  As a test, I wanted to login to each server, but don't know where I would view/verify each server log in order to make sure this auting is correct.

Lastly, even if auditing is correct, is there a way to get even more granular?  There is one 2003 server and one 2008 R2 server.
0
uppercut7141
Asked:
uppercut7141
1 Solution
 
Mike KlineCommented:
You would check the security event logs.   2008 R2 supports advanced audit config which can let you get more granular.

Do you have a test lab.  You can test this out in a lab and get comfortable.

Thanks

Mike
0
 
SandeshdubeyCommented:
In order to audit you need to first enable audit policy for audit object access on the OU where all PC are placed or in default Domain Policy.
 

Refer below link:
http://www.sevenforums.com/tutorials/123362-audit-log-access-shared-folders.html
http://www.intelliadmin.com/index.php/2008/03/use-auditing-to-track-who-deleted-your-files/
http://social.technet.microsoft.com/Forums/en-US/systemcentermonitoring/thread/3b7d3dfa-99e5-4aaf-a0e5-3e7dc4cb6f93/
 

I would also recommend to enable minimal audit setting on files and folder as this will create strom of events.Auditing can generate a large amount of data.Because the security log is limited in size, select the files and folders to be audited carefully. Also, consider the amount of disk space that you want to devote to the security log. The maximum size for the security log is defined in Event Viewer.

You need to check event log to track the activities carried out by users.If file is deleted event id 560(Win2003) is logged in security log.

You also need to enable audit account logon events to tack the logon and account management see this for auditing:
AD DS Auditing Step-by-Step Guidehttp://technet.microsoft.com/en-us/library/cc731607(v=ws.10).aspx

You can set use Eventtriggers.exe to send e-mail based on Event IDs for certain critcal event ids:

Getting event log contents by email on an event log trigger
 http://blogs.technet.com/b/jhoward/archive/2010/06/16/getting-event-log-contents-by-email-on-an-event-log-trigger.aspx
 
You can also Set up event subscriptions in Windows 2008 to collectthe event.
 http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/f82d4872-601f-47c0-8c84-e2cac269fe00/

Hope this helps
0
 
uppercut7141Author Commented:
I checked the Event Viewer and received the following Event ID's when I logged/logged off the server as well as making a modication of permission on a specific folder:


4672  -- when I logged onto server

4647, 4634 - when I logged off server



When I added rights to a specific folder for a user, I received event ID:  

4673  -- A priviledged service was called
4688  -- Process creation

does this appear correct?  I was expecting more information from Event viewer.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
uppercut7141Author Commented:
Any thoughts on this?
0
 
Mike KlineCommented:
Yes those are correct, this is a very hand spreadsheet to have that lists all the events

http://www.microsoft.com/en-us/download/details.aspx?id=17871

Thanks

Mike
0
 
Pankaj_401Commented:
In Windows Server 2008 there is a possibility to audit changes in Active Directory.

Check out the Link

AD DS Auditing Step-by-Step Guide

 They are audited as events in Security event log as recommended  by mkline71 also you can go for Ad Auditing tool as well for the documentation purpose as these tool have functionality to give a regular report in your desired format for verification purpose
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now