Logon Redundancy Expand / Collapse
Posted 9/4/2015 3:17:20 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 9/4/2015 2:02:19 PM
Posts: 1, Visits: 0
Guys answer me this. Logon policy is controlling logging of logon events on a local machine. Account Logon policy is logging logon events as submitted by another host.

So in the case of an end user logging into a member server using their Active Directory domain account the member server is logging the event under its Logon policy success setting and the domain controller is logging the same action under its Account Logon policy success setting. Am I misunderstanding something here? This is duplicative.

As these are high volume events I'm tempted to turn off Logon success on the member servers and just let the domain controller capture it. I run an environment with an older SAN and we have to pare down excessive and duplicative logging as we believe it is really loading our SAN causing major latency issues. I think this would be a good move, as the only log events I'm really giving up are the successful logons to local accounts on member servers, which are few as we have very few local accounts.

Thoughts on this? I'm trying to "log smart"
Post #4946
Posted 10/15/2015 6:59:01 PM
Supreme Being

Supreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme Being

Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 237, Visits: 0
Many people have a logging strategy of just Domain Controllers for this reason. The problem is that you will miss activity that will only be recorded on that member server. For example, if you log into the member server with RDP then you may get a 4624 event with type 10 remote interactive but the DC would only see this as a type 3 network logon.
Post #5104
« Prev Topic | Next Topic »

Permissions Expand / Collapse

All times are GMT -5:00, Time now is 12:15am