I am trying to figure out how Audit policies work. I got an "object access"
policy to work on a local server (call it Server 1). Specified changes in a
certain folder would show up in the Security Event Log of that server. But
then I tried to implement the policy on the Domain Controller for the entire
domain. A book I have says the folder events (on Server 1) should then show
up in the Security Event Log on the Domain Controller. But I am not seeing
the expected events getting logged. Any thoughts ??

Thanks,
Tom

Either bad info in that book or it was misread.
Setting that policy and audit SACL(s) in a GPO linked to the
DCs OU will cause the DCs to cut audit events for accesses
made on the DCs to resources that are part of the DCs (that
meet the SACL criteria). That is all.
Setting the policy to audit object access in a GPO linked to
the domain will make that setting on all machines of the domain
to which it is applied. However, audit events are still controlled
by what SACLs say should be auditied (and most people do not
set SACLs using GPOs), and when the event messages are cut
to the log these are on the machine where triggered (where the
SACL'd resources are).

"Tom Glasser" <TomGlasser@discussions.microsoft.com> wrote in message
news:0920CC9F-28D3-405D-8EEA-0BE3DD6BA024@microsoft.com...
>I am trying to figure out how Audit policies work. I got an "object
>access"
> policy to work on a local server (call it Server 1). Specified changes in
> a
> certain folder would show up in the Security Event Log of that server.
> But
> then I tried to implement the policy on the Domain Controller for the
> entire
> domain. A book I have says the folder events (on Server 1) should then
> show
> up in the Security Event Log on the Domain Controller. But I am not
> seeing
> the expected events getting logged. Any thoughts ??
>
> Thanks,
> Tom

Roger,

Thanks. If I understood the alphabet soup correctly, I should be able
to set the auditing policy for the entire domain on the DC, but with
event log entries made only on the servers or PC's on which the events
occur.

But now I'm faced with solving other mysteries. Like why DC policy changes
aren't showing up on other domain servers. And like why on my original
"local server" the local policy settings I made are grayed-out and won't let
me
change them.

Confused,
Tom

"Roger Abell [MVP]" wrote:

> Either bad info in that book or it was misread.
> Setting that policy and audit SACL(s) in a GPO linked to the
> DCs OU will cause the DCs to cut audit events for accesses
> made on the DCs to resources that are part of the DCs (that
> meet the SACL criteria). That is all.
> Setting the policy to audit object access in a GPO linked to
> the domain will make that setting on all machines of the domain
> to which it is applied. However, audit events are still controlled
> by what SACLs say should be auditied (and most people do not
> set SACLs using GPOs), and when the event messages are cut
> to the log these are on the machine where triggered (where the
> SACL'd resources are).
>
> "Tom Glasser" <TomGlasser@discussions.microsoft.com> wrote in message
> news:0920CC9F-28D3-405D-8EEA-0BE3DD6BA024@microsoft.com...
> >I am trying to figure out how Audit policies work. I got an "object
> >access"
> > policy to work on a local server (call it Server 1). Specified changes in
> > a
> > certain folder would show up in the Security Event Log of that server.
> > But
> > then I tried to implement the policy on the Domain Controller for the
> > entire
> > domain. A book I have says the folder events (on Server 1) should then
> > show
> > up in the Security Event Log on the Domain Controller. But I am not
> > seeing
> > the expected events getting logged. Any thoughts ??
> >
> > Thanks,
> > Tom
>
>
>

Roger,

Update to my earlier response:
It appears that my Domain policy change finally "percolated" down to my
local server. Not sure what the trigger or timing is on this, but it seemed
to take a while! Also, since the change involved "undoing" a policy setting,
those check boxes on the local server are no longer grayed-out.

I'm going to continue testing and sorting this all out.

Thanks,
Tom

"Roger Abell [MVP]" wrote:

> Either bad info in that book or it was misread.
> Setting that policy and audit SACL(s) in a GPO linked to the
> DCs OU will cause the DCs to cut audit events for accesses
> made on the DCs to resources that are part of the DCs (that
> meet the SACL criteria). That is all.
> Setting the policy to audit object access in a GPO linked to
> the domain will make that setting on all machines of the domain
> to which it is applied. However, audit events are still controlled
> by what SACLs say should be auditied (and most people do not
> set SACLs using GPOs), and when the event messages are cut
> to the log these are on the machine where triggered (where the
> SACL'd resources are).
>
> "Tom Glasser" <TomGlasser@discussions.microsoft.com> wrote in message
> news:0920CC9F-28D3-405D-8EEA-0BE3DD6BA024@microsoft.com...
> >I am trying to figure out how Audit policies work. I got an "object
> >access"
> > policy to work on a local server (call it Server 1). Specified changes in
> > a
> > certain folder would show up in the Security Event Log of that server.
> > But
> > then I tried to implement the policy on the Domain Controller for the
> > entire
> > domain. A book I have says the folder events (on Server 1) should then
> > show
> > up in the Security Event Log on the Domain Controller. But I am not
> > seeing
> > the expected events getting logged. Any thoughts ??
> >
> > Thanks,
> > Tom
>
>
>

Good. The alphabet strudle is sometimes necessary to separate out
the involved factors. I see by this post you are now using GPO linked
to Domain instead of Domain Controllers OU.

--
Roger Abell
Microsoft MVP (Windows Server : Security)
MCDBA, MCSE W2k3+W2k+Nt4
"Tom Glasser" <TomGlasser@discussions.microsoft.com> wrote in message
news:8931ED99-4680-4E53-84AE-90FDBD8D63D3@microsoft.com...
> Roger,
>
> Update to my earlier response:
> It appears that my Domain policy change finally "percolated" down to my
> local server. Not sure what the trigger or timing is on this, but it
> seemed
> to take a while! Also, since the change involved "undoing" a policy
> setting,
> those check boxes on the local server are no longer grayed-out.
>
> I'm going to continue testing and sorting this all out.
>
> Thanks,
> Tom
>
> "Roger Abell [MVP]" wrote:
>
>> Either bad info in that book or it was misread.
>> Setting that policy and audit SACL(s) in a GPO linked to the
>> DCs OU will cause the DCs to cut audit events for accesses
>> made on the DCs to resources that are part of the DCs (that
>> meet the SACL criteria). That is all.
>> Setting the policy to audit object access in a GPO linked to
>> the domain will make that setting on all machines of the domain
>> to which it is applied. However, audit events are still controlled
>> by what SACLs say should be auditied (and most people do not
>> set SACLs using GPOs), and when the event messages are cut
>> to the log these are on the machine where triggered (where the
>> SACL'd resources are).
>>
>> "Tom Glasser" <TomGlasser@discussions.microsoft.com> wrote in message
>> news:0920CC9F-28D3-405D-8EEA-0BE3DD6BA024@microsoft.com...
>> >I am trying to figure out how Audit policies work. I got an "object
>> >access"
>> > policy to work on a local server (call it Server 1). Specified changes
>> > in
>> > a
>> > certain folder would show up in the Security Event Log of that server.
>> > But
>> > then I tried to implement the policy on the Domain Controller for the
>> > entire
>> > domain. A book I have says the folder events (on Server 1) should then
>> > show
>> > up in the Security Event Log on the Domain Controller. But I am not
>> > seeing
>> > the expected events getting logged. Any thoughts ??
>> >
>> > Thanks,
>> > Tom
>>
>>
>>