Auditing

MikdillyMikdilly Member Posts: 309
Trying to do auditing exercise in mspress book, chapter 6, pg 6-36, configured audit settings, enabled audit policy, did a gpupdate, logged on as user, created file on server, deleted file on server, it never shows an audit log of the file being deleted. It shouldn't matter that the user is in a nested group witihin the group being setup for auditing in the excercise, right? Filtering the log for just the user only shows logon/logoff and directory service access.

Comments

  • astorrsastorrs Member Posts: 3,139 ■■■■■■□□□□
    Perform a Resultant Set of Policies (RSoP) against the user and computer and make sure the GPO is being properly applied.
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    You need to enable auditing in the local/group policy and specify the specific items you want audited. Definitely start with RSoP.
  • MikdillyMikdilly Member Posts: 309
    Ran the rsop for the user and computer, drilled down to Audit Object Access, there's a big red circle with an x in it. Click on the line and within the Precedence tab of Audit Object Properties it says 'GPO's higher in the list have the highest priority. The policy engine did not atempt to configure the setting. Check winlogon.log on the target machine.

    What would be the target machine, the server or workstation?
  • astorrsastorrs Member Posts: 3,139 ■■■■■■□□□□
    Wherever the object is located. In your case the server.
  • MikdillyMikdilly Member Posts: 309
    Sorry, my fault, I was in the default domain policy when i should have been in domain controller security policy. It worked once file object access was enabled there. Thanks for the help.
  • astorrsastorrs Member Posts: 3,139 ■■■■■■□□□□
    Easy mistake to make when you're dealing with a "1 server" farm like most 290 labs are.
Sign In or Register to comment.