Windows Server 2008 R2: Auditing -  Success vs. Failure

Posted on 2016-10-19
Medium Priority
Last Modified: 2016-10-19
What is meant by Audit Account Lockout - Success / Failure?  If an account is locked out, what constitutes a "success" and what constitutes a "failure"?  When does a user successfully lockout his/her account?  When does a user fail to lockout his/her account?  The info I've seen online simply repeats Microsoft's useless one-sentence explanation.

Similarly, how is Audit File System Success / Failure supposed to work?  Do we really want to audit every time an authorized user accesses a file successfully?  Alternatively, is this intended to be helpful in tracking when an unauthorized person accessed a file successfully?  If so, how would one sort through countless successful accesses by authorized users in order to locate a successful access by an unauthorized user?

I really appreciate any help.
Question by:cmmcginn
LVL 35

Assisted Solution

by:Paul MacDonald
Paul MacDonald earned 800 total points
ID: 41851015
"Audit Account Lockout" is successful when a user can log in, and fails when a user's account is locked out.

"Audit File System" - is indeed useful if you need to know every user that has accessed a file.  Most organizations don't, but some do.  By definition, an unauthorized user would fail this audit, so you'd check your logs for failures.
LVL 44

Accepted Solution

Adam Brown earned 1200 total points
ID: 41851151
Audit Account Lockout will write an event when an attempt is made to automatically lock out an account. The event will show a success if the account was locked out and a failure if the attempt to lock the account failed for some reason (This is extremely rare and signifies a pretty major system failure) and the account wasn't locked.

When you configure auditing on the file system, you have to configure auditing on the folders as well as in the security policy (this is done with the advanced permissions settings in the File/folder properties screen). If you have files that are under some regulatory or policy reason for recording all access to them, you'll need to make sure Success and Failure auditing are set up on the file. There are plenty of situations where this would be required. The event viewer can help you filter through the results if you need to examine the logs for some reason, but for the majority of environments, this type of auditing is meant to assist in forensic investigations following a security breach, and just having it enabled is really all you need to worry about. There are also a number of third party solutions that can be used to collect and examine the logs to look for violations and patterns automatically.

While users that aren't supposed to have access to specific files will record a failure audit when they attempt to do so, there are situations where users are granted access to things when they shouldn't be, and auditing for file system access successes will help show this.

Author Closing Comment

ID: 41851214
Thank you both very much!

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

OfficeMate Freezes on login or does not load after login credentials are input.
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

597 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question