Auditing Logons and Logoffs

B

barrycuda72

I am sure that this has been mentioned hundred of times but still I
need some help in understanding a few things, so please bear with me.
Have an Win2k domain 3 DC's 800 Users.
All computers are members of the domain and they logon as a domain\user
I have enabled auditing on the Domain controllers ou to audit logon
events for success and failure. I do not have Audit account logon
events enabled.
I have an event log program to centralize all of my security logs into
1 mssql server.

Now the real question. What is actually getting logged?
Here are examples of what I would like to see in the log.

1.User comes to work 8:00am logs into their workstation as a
domain\user
Will I see an event in the DC security log? What will it be?
2. User goes to get coffee locks computer?
Will I see an event in the DC security log? What will it be?
3. A users screen saver kicks in that requires a password to unlock
Will I see an event in the DC security log? What will it be?
4. User accesses a file\folder on a windows share
Will I see an event in the DC security log? What will it be?
5. User goes home for the day logs off of system
Will I see an event in the DC security log? What will it be?
 
S

Steven L Umbach

For domain users you really will only see useful information [for what you
are looking for] in the security logs of the domain controllers if you
enable auditing of "account logon" events. Then you will see when the user
will logon to their domain computer but unfortunately not when they logoff.
To see when a user locks/unlocks/logoff you will need to enable auditing of
logon events on their domain computer and then get the information from that
computer's security log for those events. Auditing of logon events for
domain controllers shows only events when domain users and computers access
domain controllers such as the sysvol share [which is often]. For domain
controllers you may only want to audit logon events for failure only on a
routine basis to keep down the number of events in the security logs but to
show possible problems or attacks. To audit access to a folder you need to
first enable auditing of object access on the computer that has the share
and then audit the shares which then will show object access events in the
security log of the computer that has the share you are auditing. The link
below may be helpful. --- Steve

http://www.microsoft.com/technet/se...andmonitoring/securitymonitoring/default.mspx
-- The Security Monitoring and Attack Detection Planning Guide
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Auditing Logon Events 2
Authentication Auditing 5
auditing logons - someone please clear this #@#$! up. 3
Audit Logons 1
Account Logon and Logoff Auditing 1
Win2K Auditing / Security Event Log Problems 2
Unexplained 540 Events in Security log on W2K workstation in a dom 0
Auditing / Event Log Entries... 4

Top