Auditing Logon Events

  • Thread starter Thread starter John
  • Start date Start date
J

John

I am having trouble auditing only certain users or groups
logon events. I have it setup to audit everybody, but
can't seem to get it to only audit who I want. Any help
would be appreciated.

Thanks,
John Dombrowski
 
John said:
I am having trouble auditing only certain users or groups
logon events. I have it setup to audit everybody, but
can't seem to get it to only audit who I want. Any help
would be appreciated.

Only Auditing of "objects" (file/print/other OR Directory Service objects)
are
"ACL => ACE" based.

Access Control Lists on OBJECTS include "Access Control Entries" which are
really just a pairing of Security Principal(SID) with an Access type (e.g.,
read,
delete, etc.). These ACEs are almost identical to the ACEs used for file,
printer,
share, registry etc. Permissions but are in a separate "object property
list" for
auditing such objects.

Security Principals include Groups, Computers, and Users.

Since all other "auditing" is based on general (non-object specific)
settings you
cannot monitor these (directly) on a per user/group basis.

You can post-process the audit logs using VBS or Perl scripts to filter only
the
desired security principals.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Back
Top