Auditing

Trying to do auditing exercise in mspress book, chapter 6, pg 6-36, configured audit settings, enabled audit policy, did a gpupdate, logged on as user, created file on server, deleted file on server, it never shows an audit log of the file being deleted. It shouldn't matter that the user is in a nested group witihin the group being setup for auditing in the excercise, right? Filtering the log for just the user only shows logon/logoff and directory service access.

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

astorrs

Perform a Resultant Set of Policies (RSoP) against the user and computer and make sure the GPO is being properly applied.

dynamik

You need to enable auditing in the local/group policy and specify the specific items you want audited. Definitely start with RSoP.

Mikdilly

Ran the rsop for the user and computer, drilled down to Audit Object Access, there's a big red circle with an x in it. Click on the line and within the Precedence tab of Audit Object Properties it says 'GPO's higher in the list have the highest priority. The policy engine did not atempt to configure the setting. Check winlogon.log on the target machine.

What would be the target machine, the server or workstation?

astorrs

Wherever the object is located. In your case the server.

Mikdilly

Sorry, my fault, I was in the default domain policy when i should have been in domain controller security policy. It worked once file object access was enabled there. Thanks for the help.

astorrs

Easy mistake to make when you're dealing with a "1 server" farm like most 290 labs are.