Event Code 5156 Filling Event Logs - How to... Expand / Collapse
Posted 4/8/2011 11:56:37 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 4/8/2011 11:46:55 AM
Posts: 1, Visits: 0
We currently have a Windows 2003 domain. The Windows 2008 servers that we have in our domain are currently filling their Event Logs with Event Code 5156 events (among others). We have used auditpol to disable the various Audit settings on the servers and verified that the settings were correct. A little while later the events started occurring again. When we checked the settings they had reverted back to Enabled. I am assuming that this is coming from a group policy. Windows 2008 servers in another OU we have that is blocking inheritance of the domain group policies retain the changes. The problem is since the domain is 2003 these Audit events are not defined in our group policies. Does anyone know of a way to disable these Audit events for 2008 server in a 2003 domain?
Post #628
Posted 4/11/2011 8:58:47 AM


Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
The core problem is that Win2008 introduced audit subcategories and you really need to configure auditing at the subcategory level on 2008 so that you can disable these new noisy subcategories without disabling the other subcategories that you do need. 

The problem is that pre Windows 2008 R2, you cannot configure audit subcategories via group policy.  You must either stick with the legacy categories or you can configure computers one at a time with by running the local auditpol command.

With Win2008 R2 you get the ability to configure auditing at the subcat level with group policy.  All you have to do is edit any existing group policy object in a Win2003 domain from a Win2008 R2 computer and you will see the new policies.  They won't impact existing 2003 computers which keep reading the old settings in group polcy and the domain does not need to be upgraded or functionality level changed.

See http://www.ultimatewindowssecurity.com/wiki/WindowsSecuritySettings/Auditpol 

Post #629
« Prev Topic | Next Topic »

Permissions Expand / Collapse

All times are GMT -5:00, Time now is 5:19am