Differentiate Between Reboots and Policy... Expand / Collapse
Author
Message
Posted 3/3/2011 3:34:13 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 3/3/2011 3:27:48 PM
Posts: 1, Visits: 0
When a Windows 2003 server boots up it applies the policy to the server and throws an event ID 612 in the security logs. This seems to be the same event thats also logged when an audit policy is changed. What I'm trying to do is differentiate between server reboots and a potential unauthorized policy change?

Any ideas?

Post #614
Posted 3/8/2011 6:28:30 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
What service pack are you running.  I thought they fixed that.  Anyway, look at event 512.  If you see a 612 without a nearby 512 that should indicate a real policy change.
Post #615
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 12:32pm