Win2K Auditing / Security Event Log Problems

[Dalex]

I've installed Windows 2000 Server on four computers (new installs).
The servers are members of a Win2K domain.

I've enabled logging via the Local Security Setting MMC (Security
Setting/Local Policy/Audit Policy). However, absolutely no events
show up in the Security Log. Very strange.

When I view the Audit Policy window on these four servers, the Local
Setting shows [Success, Failure] but the Effective Setting shows [No
auditing].

I've checked with the administrators for the domain and they have
assured me that there is no domain level Group Policy in effect that
would override the local settings.

I'm at a loss. I've done this a score of times on other servers (in
different domains) and never have run into this problem.

One other note. I have upgraded an NT server to Win2k server on the
same domain. Auditing was set on the NT server before the upgrade.
The audit policy migrated when the server was upgrade to Win2k and the
server logs security event in the Security Event Log.

So -- with a clean install, the Security Events will not log.
With an upgrade, the Security Events will log.

Any ideas would be appreciated.

TIA

 

[Steven L Umbach]

If the effective setting shows different than the Local Security Policy,
then there is a policy overriding your local policy. Try running gpresult on
your servers to see where computer policy is being applied from. The /v
switch will give more detailed information. --- Steve

 

[Waseem]

Domain default policy overrides local security policy.
You have to enable auditing at domain level also. From
active directory users and computers right click the
domain name and select properties.
Then select group policy tab. Edit default domain policy
and make changes just like in you did in local policy of
the server. You may also have to define same policies on
domain controler OU also, but I am not sure about it.

-----Original Message-----
If the effective setting shows different than the Local Security Policy,
then there is a policy overriding your local policy. Try running gpresult on
your servers to see where computer policy is being applied from. The /v
switch will give more detailed information. --- Steve

I've installed Windows 2000 Server on four computers (new installs).
The servers are members of a Win2K domain.

I've enabled logging via the Local Security Setting MMC (Security
Setting/Local Policy/Audit Policy). However, absolutely no events
show up in the Security Log. Very strange.

When I view the Audit Policy window on these four servers, the Local
Setting shows [Success, Failure] but the Effective Setting shows [No
auditing].

I've checked with the administrators for the domain and they have
assured me that there is no domain level Group Policy in effect that
would override the local settings.

I'm at a loss. I've done this a score of times on other servers (in
different domains) and never have run into this problem.

One other note. I have upgraded an NT server to Win2k server on the
same domain. Auditing was set on the NT server before the upgrade.
The audit policy migrated when the server was upgrade to Win2k and the
server logs security event in the Security Event Log.

So -- with a clean install, the Security Events will not log.
With an upgrade, the Security Events will log.

Any ideas would be appreciated.

TIA

.