Audit Software Restriction Policy

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi

We now have this software restriction policy which prevents users
running applications from various places. Not only would we like to stop
them, we'd like to know who tried

How can I turn on auditing for this? I'd like it to record every time a
user tries to run an app?

tia
andy
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBZn2Lqmlxlf41jHgRAjBkAJwMb9Wja08/NYxgyflGdcBnf4VGTwCgwN/s
2vYMCIMs9Ao9u9bOUp2nGnM=
=EfME
-----END PGP SIGNATURE-----

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

I think that the events would be recorded in the application or system log
without enabling any more policies. I know of no specific audit policy that
could track that otherwise unless you want to enable auditing of object
access on the computer and then audit folders for failure for the execute
permissions for files only in the apply onto selection. The problem with
enabling auditing of object access is that a lot of events may be recorded
in the security log by the system for seemingly unrelated events and it
would not work on removeable media. --- Steve


"andy smart" <anonymus@discussions.microsoft.com> wrote in message
news:ck5uic$gtm$1@newsfeed.th.ifl.net...
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi
>
> We now have this software restriction policy which prevents users
> running applications from various places. Not only would we like to stop
> them, we'd like to know who tried
>
> How can I turn on auditing for this? I'd like it to record every time a
> user tries to run an app?
>
> tia
> andy
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.5 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFBZn2Lqmlxlf41jHgRAjBkAJwMb9Wja08/NYxgyflGdcBnf4VGTwCgwN/s
> 2vYMCIMs9Ao9u9bOUp2nGnM=
> =EfME
> -----END PGP SIGNATURE-----

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Steven L Umbach wrote:
| I think that the events would be recorded in the application or system
log
| without enabling any more policies. I know of no specific audit policy
that
| could track that otherwise unless you want to enable auditing of object
| access on the computer and then audit folders for failure for the execute
| permissions for files only in the apply onto selection. The problem with
| enabling auditing of object access is that a lot of events may be
recorded
| in the security log by the system for seemingly unrelated events and it
| would not work on removeable media. --- Steve
|
|
| "andy smart" <anonymus@discussions.microsoft.com> wrote in message
| news:ck5uic$gtm$1@newsfeed.th.ifl.net...
|
| Hi
|
| We now have this software restriction policy which prevents users
| running applications from various places. Not only would we like to stop
| them, we'd like to know who tried
|
| How can I turn on auditing for this? I'd like it to record every time a
| user tries to run an app?
|
| tia
| andy
Just to sort of 'close the call' you were right, the events are recorded
in the local logs. I can use eventquery to pull the data off into a file
and view it from there.

thanks for your help
andy
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBbjH6qmlxlf41jHgRAkZiAKDRRXeU8Nggdqde/F1R254pBpdAWgCgziwj
W1i3lOMhObyw72X5jUg8cFM=
=UhNU
-----END PGP SIGNATURE-----