Jump to content


Photo

ALE - Logon auditing is disabled


  • Please log in to reply
3 replies to this topic

#1 UlleTheBulle

UlleTheBulle

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 04 October 2013 - 12:49 PM

Dear all,

Account Lockout Examiner says that "Logon auditing is disabled..." for my 3 DCs.
I've checked the Default Domain Controllers Policy, and auditing is enabled, and the RSOP confirms this:

Audit account logon events: Success, Failure
Audit account management: Success, Failure
Audit logon events: Success, Failure
- the rest is set to Failure only.

I tried rebooting, and re-applying GPO with, and I've checked the System-log for GPO processing errors. Still no luck. ALE still says it's disabled.

Thoughts?

Cheers,
Ulle

#2 jeffb

jeffb

    Advanced Member

  • Administrators
  • PipPipPip
  • 384 posts
  • Gender:Male

Posted 04 October 2013 - 04:45 PM

Ulle,

What if you run auditpol from a command line with this command? Does it show as being enabled?

auditpol /list /category:*

-Jeff

#3 UlleTheBulle

UlleTheBulle

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 07 October 2013 - 09:33 AM

Hi Jeff,

The auditpol command shows "No auditig". Don't know if it's expected, since I'm not using Advanced Audit Policy settings in the DDC GPO. Maybe I should try that....
OK, so now I've enabled Advanced Audit Policy now, and enabled auditing as per. Randy's recomendations:

Category/Subcategory                      Setting
System
Security System Extension               No Auditing
  System Integrity                        No Auditing
  IPsec Driver                            No Auditing
  Other System Events                     No Auditing
  Security State Change                   No Auditing
Logon/Logoff
  Logon                                   Success and Failure
  Logoff                                  Success and Failure
  Account Lockout                         Success and Failure
  IPsec Main Mode                         No Auditing
  IPsec Quick Mode                        No Auditing
  IPsec Extended Mode                     No Auditing
  Special Logon                           Success and Failure
  Other Logon/Logoff Events               Success and Failure
  Network Policy Server                   Success and Failure
Object Access
  File System                             Success and Failure
  Registry                                Success and Failure
  Kernel Object                           Success and Failure
  SAM                                     No Auditing
  Certification Services                  Success and Failure
  Application Generated                   Success and Failure
  Handle Manipulation                     No Auditing
  File Share                              Success and Failure
  Filtering Platform Packet Drop          No Auditing
  Filtering Platform Connection           No Auditing
  Other Object Access Events              No Auditing
  Detailed File Share                     No Auditing
Privilege Use
  Sensitive Privilege Use                 No Auditing
  Non Sensitive Privilege Use             No Auditing
  Other Privilege Use Events              No Auditing
Detailed Tracking
  Process Termination                     Success and Failure
  DPAPI Activity                          No Auditing
  RPC Events                              Success and Failure
  Process Creation                        Success and Failure
Policy Change
  Audit Policy Change                     Success and Failure
  Authentication Policy Change            Success and Failure
  Authorization Policy Change             Success and Failure
  MPSSVC Rule-Level Policy Change         No Auditing
  Filtering Platform Policy Change        No Auditing
  Other Policy Change Events              Failure
Account Management
  User Account Management                 Success and Failure
  Computer Account Management             Success and Failure
  Security Group Management               Success and Failure
  Distribution Group Management           Success and Failure
  Application Group Management            Success and Failure
  Other Account Management Events         Success and Failure
DS Access
  Directory Service Changes               Success and Failure
  Directory Service Replication           No Auditing
  Detailed Directory Service Replication  No Auditing
  Directory Service Access                Success and Failure
Account Logon
  Kerberos Service Ticket Operations      Success and Failure
  Other Account Logon Events              Success and Failure
  Kerberos Authentication Service         Success and Failure
  Credential Validation                   Success and Failure 

After running some time with these settings, starting ALE still says "Logon auditing is disabled...", BUT shows a locked out account.
Ideas for getting rid of the warning fra ALE?

Cheers,

Ulle


Ulle,

What if you run auditpol from a command line with this command? Does it show as being enabled?

auditpol /list /category:*

-Jeff



#4 jeffb

jeffb

    Advanced Member

  • Administrators
  • PipPipPip
  • 384 posts
  • Gender:Male

Posted 07 October 2013 - 10:32 AM

Ulle,

I think this KB will be helpful to you. :)

http://www.netwrix.com/kb/1571

-Jeff




0 user(s) are reading this topic

0 members, guests, anonymous users