John said:
I am having trouble auditing only certain users or groups
logon events. I have it setup to audit everybody, but
can't seem to get it to only audit who I want. Any help
would be appreciated.
Only Auditing of "objects" (file/print/other OR Directory Service objects)
are
"ACL => ACE" based.
Access Control Lists on OBJECTS include "Access Control Entries" which are
really just a pairing of Security Principal(SID) with an Access type (e.g.,
read,
delete, etc.). These ACEs are almost identical to the ACEs used for file,
printer,
share, registry etc. Permissions but are in a separate "object property
list" for
auditing such objects.
Security Principals include Groups, Computers, and Users.
Since all other "auditing" is based on general (non-object specific)
settings you
cannot monitor these (directly) on a per user/group basis.
You can post-process the audit logs using VBS or Perl scripts to filter only
the
desired security principals.
