Failure audits not being logged

Archived from groups: microsoft.public.win2000.security (More info?)

I've also posted this at windows.server.security. sorry about that, but as
that's a group much less "visited", I've decided to cross-post here...

Hi all,

does someone have an idea of what might be happening? I have a Windows
Server 2003, for testing purposes. It's the only domain controller
(actually, the only PC on my network). I've adjusted the "Default domain
policy", so that the Success and Failuer of Account Logon and Logon Events,
are audited (by going to "Computer configuration", "Security Settings",
"Local Policies", "Audit policy").

After having set this up, I try to logon with a valid user, entering the
wrong password several times (for example, until account lockout). After
that, logging as administrator, and analyzing the security log, in event
viewer, I see no "Failure Audit" events. Only the "Success Audit" events...

Is there a bug related to the logging of failed logon attempts??? Any clues
on this?

Thanks in advance.
Renato
1 answer Last reply
More about failure audits logged
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    You have to do that in the Domain Controller Security Policy and then it
    should work.
    I believe by default it is disabled in Domain Controller Security Policy and
    since
    Domain Security policy will not override same defined settings at the OU
    level, the
    OU policy will prevail. The domain controller container is not really
    referred to as
    an OU but in most respects it acts like one. Group Policy is applied in this
    order
    local>site>domain>OU and the last defined setting will prevail in a default
    installation. The links below may be worth a read. There is an exception for
    domain
    password/account policy in that it can ONLY be defined at the domain level
    for domain
    users. --- Steve

    http://www.microsoft.com/resources/documentation/windows/2000/server/reskit/
    en-us/distsys/part4/dsgch22.mspx
    http://www.microsoft.com/technet/security/guidance/secmod144.mspx

    "Renato Martins" <renatoalmeidamartins@nospam.ibest.com.br> wrote in message
    news:%23z4pfGxXEHA.2844@TK2MSFTNGP12.phx.gbl...
    > I've also posted this at windows.server.security. sorry about that, but as
    > that's a group much less "visited", I've decided to cross-post here...
    >
    > Hi all,
    >
    > does someone have an idea of what might be happening? I have a Windows
    > Server 2003, for testing purposes. It's the only domain controller
    > (actually, the only PC on my network). I've adjusted the "Default domain
    > policy", so that the Success and Failuer of Account Logon and Logon
    Events,
    > are audited (by going to "Computer configuration", "Security Settings",
    > "Local Policies", "Audit policy").
    >
    > After having set this up, I try to logon with a valid user, entering the
    > wrong password several times (for example, until account lockout). After
    > that, logging as administrator, and analyzing the security log, in event
    > viewer, I see no "Failure Audit" events. Only the "Success Audit"
    events...
    >
    > Is there a bug related to the logging of failed logon attempts??? Any
    clues
    > on this?
    >
    > Thanks in advance.
    > Renato
    >
    >
Ask a new question

Read More

Security Windows