Group: Forum Members
Last Login: 4/19/2014 5:20:37 PM
I would like ask if can somebody advice me in my problem.
I need enable im system WIndows Server 2008 R2 event 4609 ( in SECURITY )which can inform me when server was reboot/shutdown.
I found article http://technet.microsoft.com/en-us/library/dd772631(v=WS.10).aspx and http://www.stigviewer.com/check/V-26553.
then enable this for testing in local policy and domain policy:
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> System -> "Audit Security State Change" for success and failure
Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" for enable
I tested this on Windows Server 2008 R2, Windows 8, Windows 7 and that dont work for me and audit only event 4608 which inform me about start system.... Can i ask aboue advice ? I had deadline for yesterday and i cant resolbe this problem....
After set this option i checked this this command
- "auditpol /get /category:*" and there is set Success and Failure
- gpresults /H file.html - and generate html output if domain policy are apply on system and policy are apply correct.
I know about events in SYSTEM event 12,13,41,1074,1076,6005,6006 thanks which i can tracking related activity ( with start and shutdown services and computer ) but this is not enought for me....
Unfortunatelly this settings not enable this event. Maybe something more shoud be enable too ? in policy ?
In below articles we dont see information about event 4609:
Windows 7 and Windows Server 2008 R2
Windows Vista and in Windows Server 2008
In below articles ( xls lists ) we can see information about event 4609:
Windows Server 2008 R2 and Windows 7
Windows Server 2008 and Windows Vista
Windows 7, Windows Server 2008 R2 - general description policy
for Windows 7, Windows 8, Windows 8.1, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
What sources are true ? and how should work this ?
Please about help.