Win2K Auditing / Security Event Log Problems

View Full Version : Win2K Auditing / Security Event Log Problems

Dalex

I've installed Windows 2000 Server on four computers (new installs).
The servers are members of a Win2K domain.

I've enabled logging via the Local Security Setting MMC (Security
Setting/Local Policy/Audit Policy). However, absolutely no events
show up in the Security Log. Very strange.

When I view the Audit Policy window on these four servers, the Local
Setting shows [Success, Failure] but the Effective Setting shows [No
auditing].

I've checked with the administrators for the domain and they have
assured me that there is no domain level Group Policy in effect that
would override the local settings.

I'm at a loss. I've done this a score of times on other servers (in
different domains) and never have run into this problem.

One other note. I have upgraded an NT server to Win2k server on the
same domain. Auditing was set on the NT server before the upgrade.
The audit policy migrated when the server was upgrade to Win2k and the
server logs security event in the Security Event Log.

So -- with a clean install, the Security Events will not log.
With an upgrade, the Security Events will log.

Any ideas would be appreciated.

TIA

Steven L Umbach

If the effective setting shows different than the Local Security Policy,
then there is a policy overriding your local policy. Try running gpresult on
your servers to see where computer policy is being applied from. The /v
switch will give more detailed information. --- Steve

"Dalex" wrote in message
news:543970th2qdtgb0l5h30ekbfschinmv7pd@4ax.com...
> I've installed Windows 2000 Server on four computers (new installs).
> The servers are members of a Win2K domain.
>
> I've enabled logging via the Local Security Setting MMC (Security
> Setting/Local Policy/Audit Policy). However, absolutely no events
> show up in the Security Log. Very strange.
>
> When I view the Audit Policy window on these four servers, the Local
> Setting shows [Success, Failure] but the Effective Setting shows [No
> auditing].
>
> I've checked with the administrators for the domain and they have
> assured me that there is no domain level Group Policy in effect that
> would override the local settings.
>
> I'm at a loss. I've done this a score of times on other servers (in
> different domains) and never have run into this problem.
>
> One other note. I have upgraded an NT server to Win2k server on the
> same domain. Auditing was set on the NT server before the upgrade.
> The audit policy migrated when the server was upgrade to Win2k and the
> server logs security event in the Security Event Log.
>
> So -- with a clean install, the Security Events will not log.
> With an upgrade, the Security Events will log.
>
> Any ideas would be appreciated.
>
> TIA

Waseem

Domain default policy overrides local security policy.
You have to enable auditing at domain level also. From
active directory users and computers right click the
domain name and select properties.
Then select group policy tab. Edit default domain policy
and make changes just like in you did in local policy of
the server. You may also have to define same policies on
domain controler OU also, but I am not sure about it.

>-----Original Message-----
>If the effective setting shows different than the Local
Security Policy,
>then there is a policy overriding your local policy. Try
running gpresult on
>your servers to see where computer policy is being
applied from. The /v
>switch will give more detailed information. --- Steve
>
>
>"Dalex" wrote in message
>news:543970th2qdtgb0l5h30ekbfschinmv7pd@4ax.com...
>> I've installed Windows 2000 Server on four computers
(new installs).
>> The servers are members of a Win2K domain.
>>
>> I've enabled logging via the Local Security Setting
MMC (Security
>> Setting/Local Policy/Audit Policy). However,
absolutely no events
>> show up in the Security Log. Very strange.
>>
>> When I view the Audit Policy window on these four
servers, the Local
>> Setting shows [Success, Failure] but the Effective
Setting shows [No
>> auditing].
>>
>> I've checked with the administrators for the domain
and they have
>> assured me that there is no domain level Group Policy
in effect that
>> would override the local settings.
>>
>> I'm at a loss. I've done this a score of times on
other servers (in
>> different domains) and never have run into this
problem.
>>
>> One other note. I have upgraded an NT server to Win2k
server on the
>> same domain. Auditing was set on the NT server before
the upgrade.
>> The audit policy migrated when the server was upgrade
to Win2k and the
>> server logs security event in the Security Event Log.
>>
>> So -- with a clean install, the Security Events will
not log.
>> With an upgrade, the Security Events will log.
>>
>> Any ideas would be appreciated.
>>
>> TIA
>
>
>.
>