Auditing / Event Log Entries...

K

Ketta

Hi,
I enabled auditing through domain controller policy and then set audit
on success / failures for everything under C:. I only want to audit one
users activity through the entire system when they login to the domain
controller. Nothing shows up in the event log even though it is enabled. I
have never used auditing before, but it looked pretty straight forward.

1. Enable auditing in the policy
2. Enable auditing on the security tab of choice
3. Watch the audit logs flow.

TIA if anyone wants to educate me

Ketta
 
K

Ketta

I should probably mention I created a text file and then deleted it,
expecting that to show up as an entry in the security event log.
 
S

Steven L Umbach

You will have to enable auditing of object access on the computer where you
want to track object access for folders/files. If you enable in Domain
Controller Security Policy it will record only files on domain controller
that the user accesses. If you want to enable in on multiple computers you
will have to enable it at the domain or Organizational Unit level. Look for
event ID's 560 and 562 in the security logs of the computer or domain
controller that the user accesses. --- Steve

http://www.microsoft.com/technet/security/guidance/secmod144.mspx -- great
white paper on auditing
 
G

GX

Steve,

Let me stay on the same subject here...
Question: If you enable Object Access on Domain Controller (DC1SVR) to be
audited, how can you tell that the file (test.txt) under the machine
WINXPPRO24 > C:\Documents and Settins\John.Doe\My Documents\My Test Files
was accessed by the user Mary Jane?

Do you have to enable the Auditing on that specifi folder on the remote
machine or can you do it from the DC?

Thanks
GX
 
S

Steven L Umbach

You would have to first enable auditing of object access on computer
WINXPPRO24 and then audit that parent folder and/or the file test.txt for
whatever permissions you wanted to audit for the user Mary Jane [assuming
you want to audit just that users]. Then you would have to look in the
security log on WINXPPRO24 for Event ID's 560 and 562 to see if she has
accessed that file. Object access and the actual folder/file auditing needs
to be enabled on the computer where the folder/file resides. --- Steve
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

auditing logon failures 1
Authentication Auditing 5
Auditing file changes does not works 1
audit folder/file delet 3
Auditing ? 1
Win2K Auditing / Security Event Log Problems 2
Auditing file deletions only 3
Object auditing: event log doesn't show which object is being audi 2

Top