InstantForum.NET v4.1.4UltimateWindowsSecurity.com Forumhttp://forum.ultimatewindowssecurity.com/noreply@ultimatewindowssecurity.comTue, 07 Feb 2012 12:10:15 GMT20http://forum.ultimatewindowssecurity.com/Topic99-41-1.aspxI can't tell from that because each entry with "Special" means you have to drill down to see which permissions are enabled. If you drill down and look at which permissions are enabled on the Object and Properties tabs you should be able to figure it out.Tue, 18 Aug 2009 17:53:52 GMTRandyFranklinSmithhttp://forum.ultimatewindowssecurity.com/Topic99-41-1.aspxRandy,<br><br>I think I may have provided the wrong setting in my previous post - I pulled that setting from the Permissions tab, not the Auditing tab. Here is what I have set under the Auditing tab:<br><br>Type Name Access Apply To<br>Success Everyone Special<br>Success Everyone Special<br>Success Domain Users All extended rights This object only<br>All Domain users Special This object and all des...<br>Success Administrators All extended rights This object only<br>Success Everyone Special This object and all des...<br><br>Of these, which entry ties to Event ID 565?<br><br>Thanks,<br>Jeff<br><br>Mon, 17 Aug 2009 09:31:07 GMTjwalzerhttp://forum.ultimatewindowssecurity.com/Topic99-41-1.aspxGoodness sakes yes! Turn that offSun, 16 Aug 2009 13:38:26 GMTRandyFranklinSmithhttp://forum.ultimatewindowssecurity.com/Topic99-41-1.aspxRandy,<br><br>Is the following Auditing setting the one that generates the excessive 565 event IDs:<br><br>Type - Allow Name - Everyone Permission - Read All Properties<br><br>Thanks,<br>JeffFri, 14 Aug 2009 13:17:32 GMTjwalzerhttp://forum.ultimatewindowssecurity.com/Topic99-41-1.aspxThe combo edition has the SLS Interactive Edition which has a chapter/session devoted to AD audit policy.Wed, 10 Jun 2009 11:58:51 GMTRandyFranklinSmithhttp://forum.ultimatewindowssecurity.com/Topic99-41-1.aspxRandy,<br><br>Would the Windows 2008 Security Log Resource Kit provide me with all of the information I'd need to tighten auditing on my Windows DCs?<br><br>Thanks,<br>JeffTue, 09 Jun 2009 14:34:44 GMTjwalzerhttp://forum.ultimatewindowssecurity.com/Topic99-41-1.aspxThanks Randy - I will refine the object level audit policy in Active Directory. I have attended your webinars and they are fantastic. I am looking forward to the next webinar on reducing noise.<br><br>Thanks,<br>Jeff<br><br>Tue, 09 Jun 2009 13:03:48 GMTjwalzerhttp://forum.ultimatewindowssecurity.com/Topic99-41-1.aspxYou need to refine your object level audit policy in Active Directory. That means going to the root of the domain in Active Directory Users and Computers, Security tab, Advanced, Audit. At that place configure your audit policy to audit the object types and permissions you desire and then use it to replace the audit policy on all sub-objects.</P><P>Normally the only thing I recommend auditing is changes to groupPolicyContainer objects and group policy and ACL related changes to OUs. My Security Log Resource Kit provides details on this as well as my free webinars at this site.Tue, 09 Jun 2009 10:01:36 GMTRandyFranklinSmithhttp://forum.ultimatewindowssecurity.com/Topic99-41-1.aspxI am currently using GFI EventsManager as our SIM and I was wondering what the need is to log Event ID 565 - should I log only failures, or is there a need to log success as well? The reason I ask is that this Event ID is the overwhelming leader in number of events logged (within four days already over 1.6 million events logged)<br><br>Thanks,<br>JeffTue, 09 Jun 2009 09:45:23 GMTjwalzer