Announcement

Collapse
No announcement yet.

SBS 2008 Login Audits

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • SBS 2008 Login Audits

    I cannot seem to get my SBS 2008 box tracking failed login audits.

    I have been into the group policy (I presume I have changed the correct one as there are a few under the domain) to enable success and failure for the following:

    Audit Account Logon Events
    Audit Logon Events

    I have then forced the GP to update on the server.

    I have then tried loging into the server with an incorrect password and then checked the security logs again with event viewer and there is no event listed.

    Am I missing something?

    I really want to enable login of failed login attempts for local and remote connections ASAP (remote via terminal service gateway)

    Any suggestions appreciated.

  • #2
    Re: SBS 2008 Login Audits

    Which policy are you changing?
    Security Settings/Local Policies/Audit Policy
    or
    Security Settings/Advanced Audit Policy Configuration/Audit Policies
    cheers
    Andy

    Please read this before you post:


    Quis custodiet ipsos custodes?

    Comment


    • #3
      Re: SBS 2008 Login Audits

      Thanks for your reply Andy.

      I can only see Security Settings/Local Policies/Audit Policy under the Domain Controllers Policy.

      Should I be seeing the other one?

      Comment


      • #4
        Re: SBS 2008 Login Audits

        Which GPO are you editing? By default in SBS 2008 there is specifically no auditing enabled in the Default Domain Controllers policy. If you made the changes to the Default Domain Policy then this would have no effect. If this is where you made the changes then I would reverse the configuration changes made there and then make those policy changes you specified in the Default Domain Controllers policy.
        Regards,
        Jeremy

        Network Consultant/Engineer
        Baltimore - Washington area and beyond
        www.gma-cpa.com

        Comment


        • #5
          Re: SBS 2008 Login Audits

          Hi Jeremy,

          Thanks for your reply.

          I have checked and the policy I changed was the 'Default Domain Controllers Policy' under the Group Policy Objects, is this the correct one?

          Comment


          • #6
            Re: SBS 2008 Login Audits

            That is the correct one.

            I would run the RSoP Results wizard in Group Policy Management. This will tell you exactly which GPOs are applied and where each setting is coming from.
            Regards,
            Jeremy

            Network Consultant/Engineer
            Baltimore - Washington area and beyond
            www.gma-cpa.com

            Comment


            • #7
              Re: SBS 2008 Login Audits

              Thanks Jeremy.

              RSoP advising the following:
              -Default Domain Controllers Policy
              -Default Domain Policy
              -Update Services Server Computer Policy
              -Update Services Common Setting Policy

              Highest priority being the top one, which on inspection has the Audit set to success and failure for the following:
              -Audit account logon events
              -Audit logon events
              -Audit Privilege Use

              To me, it should be working but on examining the Security event log, I cannot see any failed login details. I would expect the failed login to be classed as critical/error/warning but if I filter the log to only show these type of events, the filtered list is blank.

              Am I missing something?

              Comment


              • #8
                Re: SBS 2008 Login Audits

                Ah, I see. Yes, you're filtering out both success and failure audits.

                When filtering the security log, click the Keywords dropdown and select audit failure.
                Regards,
                Jeremy

                Network Consultant/Engineer
                Baltimore - Washington area and beyond
                www.gma-cpa.com

                Comment


                • #9
                  Re: SBS 2008 Login Audits

                  Originally posted by phantomguitarist View Post
                  Thanks Jeremy.

                  <SNIP>

                  To me, it should be working but on examining the Security event log, I cannot see any failed login details. I would expect the failed login to be classed as critical/error/warning but if I filter the log to only show these type of events, the filtered list is blank.

                  Am I missing something?
                  But its not an error. It SUCCESSFULLY LOGS the login failure AFAIK. But then again I may be mistaken...
                  TIA

                  Steven Teiger [SBS-MVP(2003-2009)]
                  http://www.wintra.co.il/
                  sigpic
                  Iím honoured to have been selected for the SMB 150 list for 2013. This is the third time in succession (no logo available for 2011) that I have been honoured with this award.

                  We donít stop playing because we grow old, we grow old because we stop playing.

                  Comment


                  • #10
                    Re: SBS 2008 Login Audits

                    Originally posted by teiger View Post
                    But its not an error. It SUCCESSFULLY LOGS the login failure AFAIK. But then again I may be mistaken...
                    You're not mistaken. The success and failure audit logs are informational messages so you need to filter by keyword to get either just the failure or success audit events.
                    Regards,
                    Jeremy

                    Network Consultant/Engineer
                    Baltimore - Washington area and beyond
                    www.gma-cpa.com

                    Comment

                    Working...
                    X