|
|
Forum Newbie
      
Group: Forum Members
Last Login: 6/11/2009 12:02:45 PM
Posts: 4,
Visits: 4
|
|
Randy, I have created a GPO in which I am logging both successful and failure for 'Audit account logon events' and 'Audit logon events'. I am distributing this GPO to all DC's and member servers. I deliberately tried to logon to a DC with an incorrect password for the domain Administrator account, but for some reason I am not logging any 529's on the DC or any other DC. What am I doing wrong?
|
|
|
|
Expert
      
Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329,
Visits: 0
|
|
1. Have you verified that the GPO was applied successfully to the DC in question? To find out: Run MMC.exe and load the Group Policy Snap-In to view that DC's local effective settings; check what audit policy is actually in force. Or run a Group Policy Results report on that DC from the Group Policy Management snap-in. 2. Is your security log on that DC filled up? What are the wrapping options for the security log?
|
|
|
|
Forum Newbie
      
Group: Forum Members
Last Login: 6/11/2009 12:02:45 PM
Posts: 4,
Visits: 4
|
|
Thanks for the information Randy. Here is what I have discovered. I ran Group Policy Results from within GPMC for the DC in question. The Summary shows that the Auditing Policy is being applied, but maybe you can explain this for me. When I look under the Settings, Local Policies/Audit Policies shows no auditing and the winning GPO being the Default Domain Controllers Policy. I didn't want to modify this policy and created a new policy with the auditing features I wanted enable. Why weren't they applied? As for your other questions, my logging is set to 131072KB with overwrite as needed.
|
|
|
|
Expert
      
Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329,
Visits: 0
|
|
Evidently your new GPO is being evaluated as lower priority than your Default DC Policy - a group policy issue. If your new GPO is linked to root of domain you will have to confired it as No Override/Enforced. If it is linked to the Domain Controllers OU then make it higher priority than the Default DC Policy.
|
|
|
|
Forum Newbie
      
Group: Forum Members
Last Login: 6/11/2009 12:02:45 PM
Posts: 4,
Visits: 4
|
|
Thank for the update Randy, but I went ahead and add the successful/failures for Logon/Logoff and Account Login events to the Default Domain Controller Policy and applied the new GPO to member servers. This seems to be working well and will address the issue at a later time. In the meantime, not being an expert in Windows Logs like you, I am having some trouble deciphering the logs. For some reason, I keep getting 675 on the DC's (see below), and do not understand them since these are computer accounts. Can you explain this to me? Event Type: Failure Audit Event Source: Security Event Category: Account Logon Event ID: 675 Date: 6/11/2009 Time: 12:01:03 AM User: NT AUTHORITY\SYSTEM Computer: EXCHCLE Description: Pre-authentication failed: User Name: DPM2K7$ User ID: domain\DPM2K7$ Service Name: krbtgt/FQDN Pre-Authentication Type: 0x0 Failure Code: 0x19 Client Address: IPAddress For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
I seem to be getting a lot of these in the logs, and don't know what or where they are coming from. I have searched Google but not a lot of information on this other than your article from Windows IT Pro. HELP!!!
|
|
|
|
Expert
      
Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329,
Visits: 0
|
|
Please repost this question under the forum for 675 and I will address it
|
|
|
|