1-949-407-5125
Im getting "logon auditing is disabled, some functionality will be unavailable for this DC" in the ALE app.
Im also getting "To View detailed information on logons enable Failure Audit Logon Policy on the target workstation" when I do an Examine.
I am using advanced audit logging.
My auditpol from a Domain controller:
C:\Windows\system32>auditpol /get /category:* System audit policy Category/Subcategory Setting System Security System Extension Success and Failure System Integrity Success IPsec Driver No Auditing Other System Events Success and Failure Security State Change Success Logon/Logoff Logon Success and Failure Logoff Success Account Lockout Failure IPsec Main Mode No Auditing IPsec Quick Mode No Auditing IPsec Extended Mode No Auditing Special Logon Success and Failure Other Logon/Logoff Events Success and Failure Network Policy Server No Auditing User / Device Claims Success and Failure Group Membership No Auditing Object Access File System No Auditing Registry No Auditing Kernel Object No Auditing SAM No Auditing Certification Services Success Application Generated No Auditing Handle Manipulation No Auditing File Share Success and Failure Filtering Platform Packet Drop No Auditing Filtering Platform Connection Failure Other Object Access Events Success and Failure Detailed File Share Failure Removable Storage Success and Failure Central Policy Staging No Auditing Privilege Use Non Sensitive Privilege Use No Auditing Other Privilege Use Events No Auditing Sensitive Privilege Use Success and Failure Detailed Tracking Process Creation Success Process Termination No Auditing DPAPI Activity Success and Failure RPC Events No Auditing Plug and Play Events No Auditing Token Right Adjusted Events No Auditing Policy Change Audit Policy Change Success Authentication Policy Change Success and Failure Authorization Policy Change Success MPSSVC Rule-Level Policy Change Success and Failure Filtering Platform Policy Change No Auditing Other Policy Change Events Failure Account Management Computer Account Management Success Security Group Management Success Distribution Group Management Success Application Group Management No Auditing Other Account Management Events Success User Account Management Success and Failure DS Access Directory Service Access Success and Failure Directory Service Changes Success Directory Service Replication No Auditing Detailed Directory Service Replication No Auditing Account Logon Kerberos Service Ticket Operations Success and Failure Other Account Logon Events Success and Failure Kerberos Authentication Service Success and Failure Credential Validation Success and Failure
My auditpol on a workstation.
C:\Windows\system32>auditpol /get /category:* System audit policy Category/Subcategory Setting System Security System Extension Success and Failure System Integrity Success IPsec Driver No Auditing Other System Events Success and Failure Security State Change Success Logon/Logoff Logon Success and Failure Logoff Success and Failure Account Lockout Success and Failure IPsec Main Mode No Auditing IPsec Quick Mode No Auditing IPsec Extended Mode No Auditing Special Logon Success and Failure Other Logon/Logoff Events Success and Failure Network Policy Server Success and Failure User / Device Claims Success and Failure Group Membership No Auditing Object Access File System No Auditing Registry No Auditing Kernel Object No Auditing SAM No Auditing Certification Services No Auditing Application Generated No Auditing Handle Manipulation No Auditing File Share Success and Failure Filtering Platform Packet Drop No Auditing Filtering Platform Connection No Auditing Other Object Access Events No Auditing Detailed File Share Failure Removable Storage Success and Failure Central Policy Staging No Auditing Privilege Use Non Sensitive Privilege Use No Auditing Other Privilege Use Events No Auditing Sensitive Privilege Use Success and Failure Detailed Tracking Process Creation Success Process Termination No Auditing DPAPI Activity Success and Failure RPC Events No Auditing Plug and Play Events No Auditing Token Right Adjusted Events No Auditing Policy Change Audit Policy Change Success Authentication Policy Change Success and Failure Authorization Policy Change No Auditing MPSSVC Rule-Level Policy Change Success and Failure Filtering Platform Policy Change No Auditing Other Policy Change Events No Auditing Account Management Computer Account Management Failure Security Group Management No Auditing Distribution Group Management No Auditing Application Group Management Failure Other Account Management Events No Auditing User Account Management Success and Failure DS Access Directory Service Access No Auditing Directory Service Changes No Auditing Directory Service Replication No Auditing Detailed Directory Service Replication No Auditing Account Logon Kerberos Service Ticket Operations No Auditing Other Account Logon Events Success and Failure Kerberos Authentication Service No Auditing Credential Validation Success and Failure
Can anybody point me to the correct advanced audit policy that needs to be changed?
