Audit group policy for logons

  • Thread starter Thread starter dand
  • Start date Start date
D

dand

What is the best way to set up auditing for when certain
users log into our domain using VPN? We are running
Windows 2000 domain.

Is there a way to get alerts (maybe thru email) when
certain users log into the corporate VPN?
 
In case you are using IPSec, you could refer to this article:

816514 HOW TO: Configure IPSec Tunneling in Windows Server 2003
http://support.microsoft.com/?id=816514

Enable Auditing for Logon Events and Object Access
--------------------------------------------------

This logs events in the security log. This tells you if IKE
security association negotiation was tried and if it was successful or not.


1. Using the Group Policy MMC snap-in, expand "Local Computer Policy",
expand "Computer Configuration", expand "Windows Settings", expand
"Security Settings", expand "Local Policies", and then click "Audit
Policy".

2. Enable "Success" and "Failure" auditing for "Audit logon events" and
"Audit object access". Note If the Windows Server 2003 gateway is a
member of a domain and if you are using a domain policy for auditing,
the domain policy overwrites your local policy. In this case, modify
the domain policy.

If you are not using IPSec, you can do the above steps in the Default Domain
Policy. This will audit all logon events if done at that level.

An alternative idea would be link a new policy (with auditing enabled for
success and failure) to the OU which contains the VPN users, then only give
VPN users Read and Apply Group Policy Allow permissions on that GPO.

Unfortunately, I'm not aware offhand of a tool to notify you via email as an
event is logged. The closest tool to that I know of is EventCombMT, but I
believe this just displays an alert (local on that box it is run on).

824209 How to Use the EventcombMT Utility to Search Event Logs for Account
http://support.microsoft.com/?id=824209

If any one else is aware of a tool to do this please post.
 
An amendment to the portion regarding enabling auditing for the VPN server
alone:

An alternative idea would be link a new policy (with auditing enabled for
success and failure) to the OU which contains the VPN servers, then only
give
the VPN servers Read and Apply Group Policy Allow permissions on that GPO.
 
Back
Top