Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

"Someone" has edited the group policy, audit logon/logoff?

Status
Not open for further replies.
SmbNorway

SmbNorway

MIS
Nov 7, 2002
5
NO
Hello!

"Someone" an intruder that by other things have deleted users files, edited the group policy on our servers was logged on yeasterday. We have now resett the password on several users but I would dearly wont to cach this person.

I have set up auditing of logon and logoff on the server in the group policies both success and fail but no event is logged in the security log. I have searched for this on the net but I cannot find a sulotion on it.

What am I missing?

smb
 
Sort by date Sort by votes
which group policy are you talking about?

But if you want to log all "logon" events then you should do this at the "DomainControllers" OU.

And set also a account lockuot policy. And maybe complex passwords.
But BEWARE! Account Policies should be applied at the DOMAIN GPO!! Gia Betiu
m.betiu@chello.nl
Computer Eng. CNE 4, CNE 5, soon MCSE2k
 
Upvote 0 Downvote
Hello!

The setting for logging the logoff and logon are set on the Domain GPO. But still no event are logged in the event viewer.

How would I else cach him I dont set up this??

smb
 
Upvote 0 Downvote
Then, check and see how the policies are applied. Have you a block inheritance there? (in Domain Controllers OU)
And, normally this should work without any problem.
I cannot imagine what mistake you did. Gia Betiu
m.betiu@chello.nl
Computer Eng. CNE 4, CNE 5, soon MCSE2k
 
Upvote 0 Downvote
Hello!

This is how I do it.

I open Actice Directory Users and Computers, I mark the domain, right click and choose properties, group policies, Default Domain Policy, Edit, ComputerConfiguration, Windows Settings, Security Settings, local policies, audit policies, audit account logon envents, I mark define these policy settings, mark success and failure, close the window, choose OK.

I dont now what block inheritance is, but maybe this is something the "hacker" have done.

smb
 
Upvote 0 Downvote
Maybe he set a length of zero for your event logs (also a setting from GPO).

But, try to see the differences between a default configuration and wat you have now. ALso try to apply the default one.
See my answer from the thread thread96-403270. Gia Betiu
m.betiu@chello.nl
Computer Eng. CNE 4, CNE 5, soon MCSE2k
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

MattM1975
  • Locked
  • Question
Domain Admin Logon 1
Replies
2
Views
341
ADB100
ADB100
Teo En Ming
  • Locked
  • Question
Actions taken during Disaster Recovery for client whose IBM Megaraid controller has failed
Replies
2
Views
626
fightaccording
fightaccording
mangentle
  • Locked
  • Question
What are the key advantages of using Microsoft Windows Servers for businesses?
Replies
1
Views
1K
gbaughma
gbaughma
DeepuM
  • Locked
  • Question
Web Response returned Web Exception : The underlying connection was closed error | Simphony & QS
Replies
0
Views
466
DeepuM
DeepuM
mangentle
  • Locked
  • Question
What could be the potential causes if a Microsoft Windows Server is experiencing slow network!
Replies
1
Views
1K
gbaughma
gbaughma

Part and Inventory Search

Sponsor

Back
Top