Hi Randy, not sure how well the copy and paste came over, but here's the results. All domain controllers except one had the following audit policy: System audit policy
Category/Subcategory Setting System Security System Extension Success and Failure System Integrity Success and Failure IPsec Driver No Auditing Other System Events Success and Failure Security State Change Success and Failure
Logon/Logoff Logon Success and Failure Logoff Success and Failure Account Lockout Success and Failure IPsec Main Mode No Auditing IPsec Quick Mode No Auditing IPsec Extended Mode No Auditing Special Logon Success and Failure Other Logon/Logoff Events Success and Failure Network Policy Server Success and Failure
Object Access File System Success and Failure Registry Success and Failure Kernel Object Success and Failure SAM No Auditing Certification Services Success and Failure Application Generated Success and Failure Handle Manipulation No Auditing File Share Success and Failure Filtering Platform Packet Drop No Auditing Filtering Platform Connection No Auditing Other Object Access Events No Auditing
Privilege Use Sensitive Privilege Use No Auditing Non Sensitive Privilege Use No Auditing Other Privilege Use Events No Auditing Detailed Tracking Process Termination Success and Failure DPAPI Activity No Auditing RPC Events Success and Failure Process Creation Success and Failure
Policy Change Audit Policy Change Success and Failure Authentication Policy Change Success and Failure Authorization Policy Change Success and Failure MPSSVC Rule-Level Policy Change No Auditing Filtering Platform Policy Change No Auditing Other Policy Change Events Success and Failure
Account Management User Account Management Success and Failure Computer Account Management Success and Failure Security Group Management Success and Failure Distribution Group Management Success and Failure Application Group Management Success and Failure Other Account Management Events Success and Failure
DS Access Directory Service Changes Success and Failure Directory Service Replication No Auditing Detailed Directory Service Replication No Auditing Directory Service Access Success and Failure
Account Logon Kerberos Service Ticket Operations Success and Failure Other Account Logon Events Success and Failure Kerberos Authentication Service Success and Failure Credential Validation Success and Failure The one other DC had this audit setting, but it’s been correct to match the other DC’s Category/Subcategory Setting System Security System Extension Success
System Integrity Success
IPsec Driver Success
Other System Events Success
Security State Change Success
Logon/Logoff Logon Success and Failure
Logoff Success and Failure
Account Lockout Success and Failure
IPsec Main Mode Success and Failure
IPsec Quick Mode Success and Failure
IPsec Extended Mode Success and Failure
Special Logon Success and Failure
Other Logon/Logoff Events Success and Failure
Network Policy Server Success and Failure
Object Access File System Success and Failure
Registry Success and Failure
Kernel Object Success and Failure
SAM Success and Failure
Certification Services Success and Failure
Application Generated Success and Failure
Handle Manipulation Success and Failure
File Share Success and Failure
Filtering Platform Packet Drop Success and Failure
Filtering Platform Connection Success and Failure
Other Object Access Events Success and Failure
Detailed File Share Success and Failure
Privilege Use Sensitive Privilege Use Failure
Non Sensitive Privilege Use Failure
Other Privilege Use Events Failure
Detailed Tracking Process Termination No Auditing
DPAPI Activity No Auditing
RPC Events No Auditing
Process Creation No Auditing
Policy Change Audit Policy Change Success and Failure
Authentication Policy Change Success and Failure
Authorization Policy Change Success and Failure
MPSSVC Rule-Level Policy Change Success and Failure
Filtering Platform Policy Change Success and Failure
Other Policy Change Events Success and Failure
Account Management User Account Management Success and Failure
Computer Account Management Success and Failure
Security Group Management Success and Failure
Distribution Group Management Success and Failure
Application Group Management Success and Failure
Other Account Management Events Success and Failure
DS Access Directory Service Changes Success and Failure
Directory Service Replication Success and Failure
Detailed Directory Service Replication Success and Failure
Directory Service Access Success and Failure
Account Logon Kerberos Service Ticket Operations Success and Failure
Other Account Logon Events Success and Failure
Kerberos Authentication Service Success and Failure
Credential Validation Success and Failure
|