Problems with Security Policy

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

We tried some of the Audit Events with our Windows 2000 Small Business
Server. For the Domain Controller Security Policy, and Domain Security
Policy, we defined the Audit Logon Events and Audit Object Access.

Audit Logon Events
We tried auditing both Success and Failure attempts last Thu, but on Fri we
changed to audit the Failure attempts only. But we don't understand why till
now, Success attempts are still logged. Why is it so?

Audit Object Access
We defined this with the intention to keep track of the personnel who
changed the files in a specific folder. If this is not defined, the changes
are not logged. But with this defined (as we audit both Success and Failure
attempts), there are so many unrelated events logged. Our primary goal is
only to monitor changes in one folder. What can we do to achieve this?

And now, after defining only 2 events, log files of the client PCs become
full every day. And administrators have to login to clear them, otherwise
users cannot login. What should we do?
 
Audit Logon Events
We tried auditing both Success and Failure attempts last Thu, but on Fri we
changed to audit the Failure attempts only. But we don't understand why till
now, Success attempts are still logged. Why is it so?
Click to expand...
It may have not propagated fully yet. Has the server come up in the
event log that Group Policy has propagated without error?

The clients may not have updated the policy. Try running

secedit /refreshpolicy machine_policy
secedit /refreshpolicy user_policy

if they are Windows 2000 machines, and

gpupdate /force

if they are Windows xp SP2+ machines.
Audit Object Access
We defined this with the intention to keep track of the personnel who
changed the files in a specific folder. If this is not defined, the changes
are not logged. But with this defined (as we audit both Success and Failure
attempts), there are so many unrelated events logged. Our primary goal is
only to monitor changes in one folder. What can we do to achieve this?
Click to expand...
You have two options.

One: Context-click (right mouse button) the folder in Windows Explorer,
click Properties. Click the Security tab, click the Advanced button,
click the Auditing tab, then click Add.

Two: In Group Policy, under Security Settings, there should be a File
System folder. Context-click (right mouse button) the RIGHT pane, and
select Add File. Traverse the drive until you find the folder you want.
And now, after defining only 2 events, log files of the client PCs become
full every day. And administrators have to login to clear them, otherwise
users cannot login. What should we do?
Click to expand...
Are you talking about security logs or app/system logs? If security,
successful log ons can exceed 10000+ a day on a normal system.

Hope this helps!
 
Back
Top