audit settings in domain

im installing software to try and figure out where account lockouts are coming from
the caller name is always blank
i have a group policy for domain controllers which has the following enabled
Policy Setting
Audit account logon events Failure
Audit account management Success
Audit directory service access Success
Audit logon events Failure
Audit object access No auditing
Audit policy change No auditing
Audit privilege use No auditing
Audit process tracking No auditing
Audit system events No auditin

a members server with the following enabled
Policy Setting
Audit account management Success
Audit object access Success

Event Loghide
Policy Setting
Maximum security log size 2621440 kilobytes
Retention method for security log As needed

this software is now asking us to enable the following for the default domain policy
audit account mangement success failure
audit account logon events failure
audit logon events failure

im worried as the default policy goes out to all computers and servers
is this safe to do this
will it cause a lot of traffic or problems
LVL 1
dougdogAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mike KlineCommented:
It won't cause traffic problems as the audit logs are local on the box and don't take up network bandwidth.

I support federal agencies and I won't say which one right now but here are our standards

Audit Account logon  > Success & Failure
Audit account mgmt > Success & Failure
Audit Logon events > success and failure

What the software/vendor is asking for is not out of the ordinary.

Thanks

Mike
0
dougdogAuthor Commented:
will this fill the event logs on teh servers or the clients
0
Mike KlineCommented:
Since you are setting "overwrite events as needed" it won't fill up the logs past your maximum security log size

Thanks

Mike
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Will SzymkowskiSenior Solution ArchitectCommented:
If you are trying to audit Active Dirtectory, I recommend getting ADAudit Plus. Not free, but they have a Full Free 30 day trial. Easy to setup and configure.

http://www.manageengine.com/products/active-directory-audit/
0
dougdogAuthor Commented:
those settings i have our for the domain controllers policy
if i enable the default domain policy what happens
its to figure out account lockouts
0
Mike KlineCommented:
You should be fine with just having them apply to the DCs for tracking lockouts on domain accounts.

Thanks

Mike
0
dougdogAuthor Commented:
so why is the caller computer name always empty
0
Mike KlineCommented:
what is the eventid
0
dougdogAuthor Commented:
4740
but caller computer name empty
0
dougdogAuthor Commented:
ok this now shows the lockouts coming from a mixture of 2 servers
both of these servers run as a radius servers running IAS
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.