Security audits not working?

[soulofmischief]

hi all,

im trying to get my security audits working. on the domain group policy ive got the audit policy to log success/failure of account logon events, account management, and logon events.

used secedit to refresh policies, then log off my account. use about four different accounts to log on and off.

check the security log, and there are no events listed?

what am i missing?

 

[w3bm0nki]

Couple things. Make sure the domain is replicated. It can also take 3-4 logons before a policy propogates down. Finally download GPOTOOL and GPRESULT to test the group policies. GPOTOOL will let you see if group policies have propogated and match on all DCs. GPRESULT will let you know what policies are propogating down with what settings. If you have a a Windows XP client, use Group Policy Management Console to see all the information graphically and if a policy is being denied.

 

[MitchCumstein]

If this is a domain controller, I believe it has to be set as a LOCAL security policy instead of a domain policy

 

[w3bm0nki]

If it is a domain controller, set it in the default domain controller policy. Also check to make sure the workstations you want to audit have correct permissions to Apply the policy.

 

[soulofmischief]

its a small network, w/ a single DC, so replication is not the issue.

ill check out the tools and see what i find.

gpedit on the xp boxes shows that logging is enabled for the above evemts...

thanks

 

[PHead2]

Check the size of the event log in the domain policy, unlikely problem but possible if someone changed it...