Failure audits not being logged

[Renato Martins]

I've also posted this at windows.server.security. sorry about that, but as
that's a group much less "visited", I've decided to cross-post here...

Hi all,

does someone have an idea of what might be happening? I have a Windows
Server 2003, for testing purposes. It's the only domain controller
(actually, the only PC on my network). I've adjusted the "Default domain
policy", so that the Success and Failuer of Account Logon and Logon Events,
are audited (by going to "Computer configuration", "Security Settings",
"Local Policies", "Audit policy").

After having set this up, I try to logon with a valid user, entering the
wrong password several times (for example, until account lockout). After
that, logging as administrator, and analyzing the security log, in event
viewer, I see no "Failure Audit" events. Only the "Success Audit" events...

Is there a bug related to the logging of failed logon attempts??? Any clues
on this?

Thanks in advance.
Renato

 

[Steven L Umbach]

You have to do that in the Domain Controller Security Policy and then it
should work.
I believe by default it is disabled in Domain Controller Security Policy and
since
Domain Security policy will not override same defined settings at the OU
level, the
OU policy will prevail. The domain controller container is not really
referred to as
an OU but in most respects it acts like one. Group Policy is applied in this
order
local>site>domain>OU and the last defined setting will prevail in a default
installation. The links below may be worth a read. There is an exception for
domain
password/account policy in that it can ONLY be defined at the domain level
for domain
users. --- Steve

http://www.microsoft.com/resources/documentation/windows/2000/server/reskit/
en-us/distsys/part4/dsgch22.mspx
http://www.microsoft.com/technet/security/guidance/secmod144.mspx