Event Viewer Group Policy Audit logon events
Right click Application | Properties | Filter tab |
Make sure that all Event types are selected.
Right click Security | Properties | Filter tab |
Make sure that all Event types are selected.
Right click System | Properties | Filter tab |
Make sure that all Event types are selected.
If XP Pro, Group Policy. I have no idea with XP Home.
Open Group Policy Editor...
Start | Run | Type: gpedit.msc | Click OK |
Set both Audit account logon events & Audit logon events for Success &
Failure
From Group Policy HELP...
[[Audit account logon events
Computer Configuration\Windows Settings\Security Settings\Local
Policies\Audit Policy
Description
Determines whether to audit each instance of a user logging on to or
logging
off from another computer in which this computer is used to validate the
account.
If you define this policy setting, you can specify whether to audit
successes, audit failures, or not audit the event type at all. Success
audits generate an audit entry when an account logon attempt succeeds.
Failure audits generate an audit entry when an account logon attempt
fails.
To set this value to no auditing, in the Properties dialog box for this
policy setting, select the Define these policy settings check box and
clear
the Success and Failure check boxes.
If success auditing for account logon events is enabled on a domain
controller, an entry is logged for each user who is validated against that
domain controller, even though the user is actually logging on to a
workstation that is joined to the domain.
Default:
No auditing for domain controllers.
Undefined for a member computer. ]]
[[Audit logon events
Computer Configuration\Windows Settings\Security Settings\Local
Policies\Audit Policy
Description
Determines whether to audit each instance of a user logging on to, logging
off from, or making a network connection to this computer.
If you are logging successful Audit account logon events on a domain
controller, workstation logon attempts do not generate logon audits. Only
interactive and network logon attempts to the domain controller itself
generate logon events. In short, "account logon events" are generated
where
the account lives; "logon events" are generated where the logon attempt
occurs.
If you define this policy setting, you can specify whether to audit
successes, audit failures, or not audit the event type at all. Success
audits generate an audit entry when a logon attempt succeeds. Failure
audits
generate an audit entry when a logon attempt fails. To set this value to
no
auditing, in the Properties dialog box for this policy setting, select the
Define these policy settings check box and clear the Success and Failure
check boxes.
Default: No auditing.]]
--
Hope this helps. Let us know.
Wes
MS-MVP Windows Shell/User
In
Alton Davis said:
I have 2 PCs, one is XP Pro and the other is XP Home and noticed that the
Event Viewer for the XP Pro machine never shows anything while on the XP
Home machine it only shows success audits. Neither machine shows
anything
for Internet Explorer. Both show events for Application, System,
MSFWSVC,
and Windows Onecare. Just curious as to how event logging can be started
or stopped and whether or not which events are logged can be controlled.
Thanks,
Al
