Announcement

Collapse
No announcement yet.

Security Audit

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Security Audit

    Hello,

    I have a question about security auditing. I have 2 DCs running Windows 2008 R2.

    Clients are running windows xp, windows 7, Windows 2003 (TS) and Windows 2008R2 (TS).

    At this time logging of failure logon attempt is not working. I have set up default domain controler policy:

    I have cleared Event log on DC. so there i one message about clearing log.

    I tryed to log on to TS (2003) five times with bad password. Iu cause that accout is locked. But I cannot find event in security log on DCs.

    Settings in default Domain controlel policy:

    Configuration Configuration - Policies - Windows Settings - Local Policies / Audit Policies -

    Audit Account Logon events Success, Failure
    Audit Account management Success, Failure
    Audit Logon Events Success, Failure

    Caspi
    Thanks

    Caspi

  • #2
    Re: Security Audit

    Did you try from another machine as well?

    You configured the domain policy

    just for testing purposes go to the win 7 machine (admin)
    Command prompt and type:auditpol.exe /get /category:*
    you should see the results if you configured correctly.

    Comment


    • #3
      Re: Security Audit

      or follow this guide

      good luck

      Comment


      • #4
        Re: Security Audit

        I think, that locked account should be logged on domain controller. Or not?
        Thanks

        Caspi

        Comment


        • #5
          Re: Security Audit

          Hi again,

          Can anyone help me with audi problem? there is a problem with Default Domain Controller policy.

          Settings in this policy:

          Audit account logon events Success, Failure
          Audit account management Success, Failure
          Audit directory service access Success, Failure
          Audit logon events Success, Failure
          Audit object access Success, Failure
          Audit policy change Success, Failure

          After GPUPDATE /Force on DCs i got event logs:

          EventID 4719

          System audit policy was changed.

          Subject:
          Security ID: SYSTEM
          Account Name: DC2$
          Account Domain: DOMAIN
          Logon ID: 0x3e7

          Audit Policy Change:
          Category: Account Logon
          Subcategory: Kerberos Authentication Service
          Subcategory GUID: {0cce9242-69ae-11d9-bed3-505054503030}
          Changes: Success removed, Failure removed

          this is for all audit policies.

          How is it posibble?
          Thanks

          Caspi

          Comment

          Working...
          X