|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Auditing logon and logoff isn't getting into Security logI'm trying to setup logon auditing for a windows 2000 server, which is the only server in the domain/AD. I followed Microsoft's KB instructions for setting this up, however, when I test it by logging off and on of a windows XP workstation that is a member of the domain, nothing is getting written into the security log. I am seeing the Security policy applied sucessfully in the Application log, so I'm guessing the policy is getting updated with the auditing information, but still nothing is showing up in the security log when I log on and off. The only thing I'm seeing as far as errors/warnings is a warning about DNS getting invalid domain packets from one of the forwarders we use. is there a delay between setting up the GPO & it's being implemented? Any help, or even where to start looking, would be appreciated. Followup: I turned on the auditing to see if anything was getting
logged, and I got a log for an account lockout, so I know it's logging stuff, just not the domain logons. Perhaps you should tell us what you did, what settings you
made, and where; and what the KB was that you used. Otherwise we can only guess. <scott.ren***@gmail.com> wrote in message Show quoteHide quote news:1162396326.340420.126430@f16g2000cwb.googlegroups.com... > Followup: I turned on the auditing to see if anything was getting > logged, and I got a log for an account lockout, so I know it's logging > stuff, just not the domain logons. > <scott.ren***@gmail.com> wrote in message
news:1162396326.340420.126430@f16g2000cwb.googlegroups.com... There are some links to articles here. Could it be that you checked to > Followup: I turned on the auditing to see if anything was getting > logged, and I got a log for an account lockout, so I know it's logging > stuff, just not the domain logons. audit only failures and not successes? As you may know, enable logging on the domain controller and look in the log there to track domain authentication (and do the same on each workstation if you wish to track workstation authentication events such as local logins). It doesn't sound like this is the case, but you might also try clearing the Security log in Event Viewer in case the log is corrupt. http://securityadmin.info/faq.asp?auditing -- kind regards, Karl Levinson, CISSP, CCSA, MCSE [MS MVP] -------------------------------- Microsoft Security FAQ: http://securityadmin.info 
Other interesting topics
Account Logon Time Restriction
Changing process priorities of normal users Mystery Directories security and pipes explained How do I trace a batch process? Autoenrollment of Certificate Certificate FQDN example.local domain using example.com certificate How to keep track of files and directories L2TP VPN question Running sysinternals PSPASSWD.exe from local system account |
|||||||||||||||||||||||
