Authentication Auditing

[Brad Baker]

We are trying to ensure that we have auditing enabled for all login attempts
to either domain or local machine accounts.

I believe that we have enabled auditing for domain level accounts through
GPO. We have enabled "audit account logon events" and "audit logon events"
under Local Policies -> Audit Policy. I am seeing login attempts for domain
accounts on our domain controller's security logs but I am not seeing login
attempts for local accounts either in the domain controller's security logs
or on the local machine security logs.

How do we enable logging of authentication attempts against local (not
domain) accounts? Is this another GPO setting? Are we looking in the wrong
place? Alternatively, is there a setting at the local machine level that
needs to be set? Any information or assistance would be appreciated.

Thanks,
Brad Baker

 

[Steven L Umbach]

You have to enable auditing of "logon events" for the domain computers which
could be done in Domain Security Policy. Then you will see a type 2 logon
event recorded when a domain user logs onto the domain computer in that
domain computer's security log. The reason "audit logon events" does not
work for domain computers is because the account logon event is only
recorded on the computer that authenticates the user which is a domain
controller for domain users. --- Steve

 

[Brad Baker]

Steven -

I think I am either misunderstanding your answer or you aren't understanding
my question Perhaps an example would clarify.

We have two domain controllers: DC1, DC2
A whole bunch of domain workstations: IIS1, IIS2, IIS3
All of the machines above are part of a domain - lets call it dom1.

"Audit account logon events" and "Audit logon events" are enabled for
success and failures in the domain security policy for dom1.

Now lets say that I attempt to log into a secure website on IIS1 using the
dom1\administrator account and it fails.
I do see an event in the DC1 or DC2 security log. (So far so good)

Now I attempt to log into the same secure website on IIS1 using
IIS1\administrator.
I don't see an event in DC1, DC2 or IIS1 security log. What do I need to do
to make sure this event gets logged?

Thanks!
Brad Baker

 

[Steven L Umbach]

The failed logon for a "local" computer user for a domain computer would
only show in the security log of the domain computer itself - not the domain
controller assuming that auditing of logon events was indeed enabled for
that domain computer. Check Local Security Policy of the computer in
question to make sure that it indeed does show that auditing of logon events
is enabled for success and failure. For Windows 2000 computers look at the
effective setting. Then try clearing the current security log to make sure
it is not full and try again. Also try a logging onto the local console for
that computer to see if any logon events are recorded or not. --- Steve

 

[Brad Baker]

The failed logon for a "local" computer user for a domain computer would

only show in the security log of the domain computer itself - not the
domain controller assuming that auditing of logon events was indeed
enabled for that domain computer.

Ok thats what I suspected however I am not seeing anything in the local
computer security log either.

Check Local Security Policy of the computer in question to make sure that
it indeed does show that auditing of logon events is enabled for success
and failure. For Windows 2000 computers look at the effective setting.

It is enabled but the effective setting dispalys as "No Auditing". Why? How
do I correct this?

The auditing of logon events is enabled for success and failure in the
Domain Security Policy, so even if that was over riding the settings on the
domain workstation, the auditing should be enabled, shouldn't it? What am I
missing?

Then try clearing the current security log to make sure it is not full and
try again.

I've done this. It didn't have any effect

 

[Steven L Umbach]

What may be happening is that another Group Policy has auditing defined for
logon events such as at the Organizational Unit Level. Use the support tool
gpresult to see what Group Policies are being applied to the computer. If
there is another GPO being applied then check the settings for that GPO to
see what it is for auditing and change it to suit your needs. If there is no
other domain/OU level GPO for that computer either there is a problem with
Group Policy processing on that computer or it has not propagated to that
computer yet. You could try a manual refresh of the Group Policy using the
command secedit /refreshpolicy machine_policy /enforce for a Windows 2000
computer or gpupdate /force for Windows 2003/XP Pro computers. If you use
gpupdate /force and it asks if you want to reboot you can select no for the
GP settings you are trying to refresh. If problems still persist you have a
deeper problem with Group Policy processing and the first place to look is
that the computer is configured to only use domain controllers as it's
preferred dns servers in tcp/ip properties and to run the support tool
netdiag on it to see if there are problems with network connectivity to
domain controllers, dns, dc discovery, or trust/secure channel. --- Steve