Enabling an audit policy on my DC's

  • Thread starter Thread starter Harrison Midkiff
  • Start date Start date
H

Harrison Midkiff

Hello:

I am trying to enable auditing on my DC's. My setup is standard. All my
servers are in the "Domain Controllers" OU. I edited the "Default Domain
Controllers Policy" under "Computer Configuration\Windows Settings\Security
Settings\Local Policies\Audit Policy". I enabled "Audit Account Management"
and a few others. When I looked in the Security log for the events which
should be generated by this setting they do not appear. I did a "gpresult
/v" and on the DC's are applying the "Default Domain Controllers Policy".

I followed TechNet doc 314977 "How to enable Active Directory access
auditing in Windows 2000" as a guide.

I am a bit confused why I am not getting the auditing? Does anyone have any
suggestions? Is there something I missed?
Harrison Midkiff
 
Hi Harrison,

The bottom of the article outlined: The policy change will not take place
immediately. Active Directory domain controllers automatically check for
policy changes to domain controller policy every five minutes. Replication
intervals also must be considered for the policy to propagate throughout
all domain controllers in the organization.

If the group policy still not applied.
1. run gpupdate/force to see the results
2. go back to check if you have edited the policy correctly.

Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no rights.
======================================================



--------------------
 
Howdy Harrison!

Harrison said:
I am trying to enable auditing on my DC's. My setup is standard. All my
servers are in the "Domain Controllers" OU. I edited the "Default Domain
Controllers Policy" under "Computer Configuration\Windows Settings\Security
Settings\Local Policies\Audit Policy". I enabled "Audit Account Management"
and a few others. When I looked in the Security log for the events which
should be generated by this setting they do not appear. I did a "gpresult
/v" and on the DC's are applying the "Default Domain Controllers Policy".
Click to expand...

So you checked *every* DC's security log for the corresponding entries?
The event will only be logged at the Domain Controller where the event
occured. So a user logs on authenticating on DC1, only DC1 will write
the successful login to it's security log.

cheers,

Florian
 
Back
Top