Auditing / Event Log Entries...

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Hi,
I enabled auditing through domain controller policy and then set audit
on success / failures for everything under C:. I only want to audit one
users activity through the entire system when they login to the domain
controller. Nothing shows up in the event log even though it is enabled. I
have never used auditing before, but it looked pretty straight forward.

1. Enable auditing in the policy
2. Enable auditing on the security tab of choice
3. Watch the audit logs flow.

TIA if anyone wants to educate me

Ketta

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

I should probably mention I created a text file and then deleted it,
expecting that to show up as an entry in the security event log.

"Ketta" <no@post.net> wrote in message
news:uoCWgokqEHA.3252@TK2MSFTNGP14.phx.gbl...
> Hi,
> I enabled auditing through domain controller policy and then set audit
> on success / failures for everything under C:. I only want to audit one
> users activity through the entire system when they login to the domain
> controller. Nothing shows up in the event log even though it is enabled.
I
> have never used auditing before, but it looked pretty straight forward.
>
> 1. Enable auditing in the policy
> 2. Enable auditing on the security tab of choice
> 3. Watch the audit logs flow.
>
> TIA if anyone wants to educate me
>
> Ketta
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

You will have to enable auditing of object access on the computer where you
want to track object access for folders/files. If you enable in Domain
Controller Security Policy it will record only files on domain controller
that the user accesses. If you want to enable in on multiple computers you
will have to enable it at the domain or Organizational Unit level. Look for
event ID's 560 and 562 in the security logs of the computer or domain
controller that the user accesses. --- Steve

http://www.microsoft.com/technet/security/guidance/secmod144.mspx -- great
white paper on auditing

"Ketta" <no@post.net> wrote in message
news:uoCWgokqEHA.3252@TK2MSFTNGP14.phx.gbl...
> Hi,
> I enabled auditing through domain controller policy and then set audit
> on success / failures for everything under C:. I only want to audit one
> users activity through the entire system when they login to the domain
> controller. Nothing shows up in the event log even though it is enabled.
> I
> have never used auditing before, but it looked pretty straight forward.
>
> 1. Enable auditing in the policy
> 2. Enable auditing on the security tab of choice
> 3. Watch the audit logs flow.
>
> TIA if anyone wants to educate me
>
> Ketta
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Steve,

Let me stay on the same subject here...
Question: If you enable Object Access on Domain Controller (DC1SVR) to be
audited, how can you tell that the file (test.txt) under the machine
WINXPPRO24 > C:\Documents and Settins\John.Doe\My Documents\My Test Files
was accessed by the user Mary Jane?

Do you have to enable the Auditing on that specifi folder on the remote
machine or can you do it from the DC?

Thanks
GX

"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
newsQk8d.119482$wV.11272@attbi_s54...
> You will have to enable auditing of object access on the computer where
> you want to track object access for folders/files. If you enable in Domain
> Controller Security Policy it will record only files on domain controller
> that the user accesses. If you want to enable in on multiple computers you
> will have to enable it at the domain or Organizational Unit level. Look
> for event ID's 560 and 562 in the security logs of the computer or domain
> controller that the user accesses. --- Steve
>
> http://www.microsoft.com/technet/security/guidance/secmod144.mspx --
> great white paper on auditing
>
> "Ketta" <no@post.net> wrote in message
> news:uoCWgokqEHA.3252@TK2MSFTNGP14.phx.gbl...
>> Hi,
>> I enabled auditing through domain controller policy and then set audit
>> on success / failures for everything under C:. I only want to audit one
>> users activity through the entire system when they login to the domain
>> controller. Nothing shows up in the event log even though it is enabled.
>> I
>> have never used auditing before, but it looked pretty straight forward.
>>
>> 1. Enable auditing in the policy
>> 2. Enable auditing on the security tab of choice
>> 3. Watch the audit logs flow.
>>
>> TIA if anyone wants to educate me
>>
>> Ketta
>>
>>
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

You would have to first enable auditing of object access on computer
WINXPPRO24 and then audit that parent folder and/or the file test.txt for
whatever permissions you wanted to audit for the user Mary Jane [assuming
you want to audit just that users]. Then you would have to look in the
security log on WINXPPRO24 for Event ID's 560 and 562 to see if she has
accessed that file. Object access and the actual folder/file auditing needs
to be enabled on the computer where the folder/file resides. --- Steve


"GX" <GX@DOMAIN.com> wrote in message
news:Hid9d.70225$uN5.7435@tornado.tampabay.rr.com...
> Steve,
>
> Let me stay on the same subject here...
> Question: If you enable Object Access on Domain Controller (DC1SVR) to be
> audited, how can you tell that the file (test.txt) under the machine
> WINXPPRO24 > C:\Documents and Settins\John.Doe\My Documents\My Test Files
> was accessed by the user Mary Jane?
>
> Do you have to enable the Auditing on that specifi folder on the remote
> machine or can you do it from the DC?
>
> Thanks
> GX
>
> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> newsQk8d.119482$wV.11272@attbi_s54...
>> You will have to enable auditing of object access on the computer where
>> you want to track object access for folders/files. If you enable in
>> Domain Controller Security Policy it will record only files on domain
>> controller that the user accesses. If you want to enable in on multiple
>> computers you will have to enable it at the domain or Organizational Unit
>> level. Look for event ID's 560 and 562 in the security logs of the
>> computer or domain controller that the user accesses. --- Steve
>>
>> http://www.microsoft.com/technet/security/guidance/secmod144.mspx --
>> great white paper on auditing
>>
>> "Ketta" <no@post.net> wrote in message
>> news:uoCWgokqEHA.3252@TK2MSFTNGP14.phx.gbl...
>>> Hi,
>>> I enabled auditing through domain controller policy and then set
>>> audit
>>> on success / failures for everything under C:. I only want to audit one
>>> users activity through the entire system when they login to the domain
>>> controller. Nothing shows up in the event log even though it is
>>> enabled. I
>>> have never used auditing before, but it looked pretty straight forward.
>>>
>>> 1. Enable auditing in the policy
>>> 2. Enable auditing on the security tab of choice
>>> 3. Watch the audit logs flow.
>>>
>>> TIA if anyone wants to educate me
>>>
>>> Ketta
>>>
>>>
>>
>>
>
>