Auditing entries in DC Security log

Discussion in 'Active Directory' started by Chris White, Mar 3, 2006.

  1. Chris White

    Chris White Guest

    Hi,

    I am trying to find out who is doing what to what folder within a directory.
    I enabled Auditing via GP and set the folder up for auditing. Now the only
    entries I get in the DC security log are a bunch of 538 and 540 events. I
    want to know what file, its path and so forth. I am missing the 576 events.
    What am I missing?
     
    Chris White, Mar 3, 2006
    #1
    1. Advertisements

  2. First thing to do is run RSoP against the server that holds the folder and
    ensure the auditing settings are defined. If so, please explain what
    settings you enabled and what you set on the folders SACL.
     
    Paul Williams [MVP], Mar 4, 2006
    #2
    1. Advertisements

  3. Chris White

    Chris White Guest

    I ran RSOP and I get the following message "GPO higher in the list have
    highest priority". So that tells me (I think) that some other GP is
    overriding this policy. I checked the winlogon.log file on the local machine
    and I get the below entry. Does the entry "Audit/Log configuration was
    completed successfully" mean that the GP Setting is correct? The policy in
    question is the highest policy setting so that should be the one that is
    applied. I verified all membership settings as being correct.

    Any ideas is greatly appreciated

    ----Reading Configuration Template info...


    ----Configure Security Policy...
    Configure password information.
    Configure account force logoff information.

    System Access configuration was completed successfully.
    Configure event audit settings.

    Audit/Log configuration was completed successfully.
    Configure
    machine\software\microsoft\windows\currentversion\policies\system\disablecad.
    Configure
    machine\software\microsoft\windows\currentversion\policies\system\dontdisplaylastusername.
    Configure
    machine\system\currentcontrolset\services\lanmanserver\parameters\requiresecuritysignature.
    Configure
    machine\system\currentcontrolset\services\netlogon\parameters\requiresignorseal.

    Configuration of Registry Values was completed successfully.
     
    Chris White, Mar 7, 2006
    #3
  4. Looks like settings of some kind are being applied. Can you use RSoP or
    GPRESULT? Have you defined auditing on the ACL of the folder in question?
    Is this machine within scope of the GPO that is enabling auditing?
     
    Paul Williams [MVP], Mar 19, 2006
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.