Auditing
Mikdilly
Member Posts: 309
Trying to do auditing exercise in mspress book, chapter 6, pg 6-36, configured audit settings, enabled audit policy, did a gpupdate, logged on as user, created file on server, deleted file on server, it never shows an audit log of the file being deleted. It shouldn't matter that the user is in a nested group witihin the group being setup for auditing in the excercise, right? Filtering the log for just the user only shows logon/logoff and directory service access.
Comments
-
astorrs Member Posts: 3,139 ■■■■■■□□□□Perform a Resultant Set of Policies (RSoP) against the user and computer and make sure the GPO is being properly applied.
-
dynamik Banned Posts: 12,312 ■■■■■■■■■□You need to enable auditing in the local/group policy and specify the specific items you want audited. Definitely start with RSoP.
-
Mikdilly Member Posts: 309Ran the rsop for the user and computer, drilled down to Audit Object Access, there's a big red circle with an x in it. Click on the line and within the Precedence tab of Audit Object Properties it says 'GPO's higher in the list have the highest priority. The policy engine did not atempt to configure the setting. Check winlogon.log on the target machine.
What would be the target machine, the server or workstation? -
Mikdilly Member Posts: 309Sorry, my fault, I was in the default domain policy when i should have been in domain controller security policy. It worked once file object access was enabled there. Thanks for the help.
-
astorrs Member Posts: 3,139 ■■■■■■□□□□Easy mistake to make when you're dealing with a "1 server" farm like most 290 labs are.