Louis Herndon said:
Hello,
I have a Win2k mixed network. My users that use WinXp on
their systems keep having their security logs filled from
the server. Some even get full to a point where it will
not let them login with their usernames and passwords. I
have to log on to their computer locally as Administrator
and physically clear the security log. Once the entries
have been cleared, their regular logons work fine. How
can I disable this so that their logs do not fill or so
that the main server does not replicate the security log
to user computers.
This might be better discussed in the microsoft.public.win2000.group_policy
news group... but here are some thoughts...
Sounds like a GPO setting is hitting the XP pro machines with the audit
settings turned up so high that it fills the Security log too quickly. I
don't know if this was by design or by chance that the GPO setting is
hitting the machines. I've seen bad GroupPolicy designs that have these
settings turned on Domain Wide for all systems by setting it in the
DefaultDomainPolicy which is rather far reaching, when they really only
wanted it on Servers or Domain Controllers...
First off - Are you in charge configuring Group Policy for your environment?
If not - you need to talk with the people that are responsible for GPO
settings. They could turn down the logging or move the log settings to a
more appropriate GPO elsewhere in your Active Directory design. <warning>
do not take GPO setting changes lightly - you will impact a number of
machines at once by changing GPO settings. Make sure you know what you are
doing and comfortable with working with GPOs.</warning>
In any event, it sounds like you have a couple of choices...
1) Are the XP systems in the right OU structure? They might be in the wrong
location and are getting the wrong GPO settings. You could relocate the
machines to a different OU that does not fall under the scope of the GPO
setting. But this would mean that the GPO falls out of scope for them and
will potentially reconfigure their machines into an undesired state. Might
not be the way to go.
2) You could block the GPO from being applied to the OU, but that would
block all sorts of other GPO settings that are in your overall GPO design.
I'm not a big fan of blocks. GPO design is a sensitive thing that you need
to look at the whole picture. Again, might not be the way to go.
3) You could create a new OU under the one they are currently in. Create a
new GPO object that would have the settings for "Computer
Configuration/Windows settings/Security Settings/Event Log".. There are
three policies you could look at: Max Security Log size (increase it to a
couple of megs if you need to keep messages around), Retain Security log
(keep it for x days - shorten the number of days) and Retention Method
(overwrite as required, rather then Manual clearing)...
Option 3 sounds like it would have the least impact to the overall
configuration of the XP systems, but it would be changing the behaviour of
your GroupPolicy design - Maybe someone wants to have the security logs
around for that long or log as many things as they do... I don't know what
it was originally intended to do.
Talk to your GPO folks and review GPO settings. You could change the same
settings on the local XP systems by opening the GroupPolicy MMC snapin
focused on the XP local system, but any settings applied local would be
overridden by Domain settings on he next policy refresh.
Rick Claus, MCSE (W2K with W2K3 pending)
Network Engineer, IPSD
Qunara Inc.
