Jump to content


Photo

Logon auditing is disabled.


  • Please log in to reply
6 replies to this topic

#1 Perks

Perks

    Newbie

  • Members
  • Pip
  • 4 posts

Posted 17 January 2019 - 11:16 AM

Hi,

 

Just testing ALE and seem to be getting the Audit Status shows "Logon auditing is disabled" message. I believe i have configured group policy correctly as per https://www.netwrix.com/kb/1571. 

 

Also, when a list of locked out accounts is provided should i be able to use the 'Examine' option if there is no workstation provided?

 

Thanks.



#2 Perks

Perks

    Newbie

  • Members
  • Pip
  • 4 posts

Posted 17 January 2019 - 11:26 AM

This is my auditpol /get /category:* report:

 

Microsoft Windows [Version 6.3.9600]
© 2013 Microsoft Corporation. All rights reserved.
 
C:\Windows\system32>auditpol /get /category:*
System audit policy
Category/Subcategory                      Setting
System
  Security System Extension               No Auditing
  System Integrity                        Success and Failure
  IPsec Driver                            No Auditing
  Other System Events                     Success and Failure
  Security State Change                   Success
Logon/Logoff
  Logon                                   Success and Failure
  Logoff                                  Success
  Account Lockout                         Success
  IPsec Main Mode                         No Auditing
  IPsec Quick Mode                        No Auditing
  IPsec Extended Mode                     No Auditing
  Special Logon                           Success
  Other Logon/Logoff Events               No Auditing
  Network Policy Server                   Success and Failure
  User / Device Claims                    No Auditing
Object Access
  File System                             No Auditing
  Registry                                No Auditing
  Kernel Object                           No Auditing
  SAM                                     No Auditing
  Certification Services                  No Auditing
  Application Generated                   No Auditing
  Handle Manipulation                     No Auditing
  File Share                              No Auditing
  Filtering Platform Packet Drop          No Auditing
  Filtering Platform Connection           No Auditing
  Other Object Access Events              No Auditing
  Detailed File Share                     No Auditing
  Removable Storage                       No Auditing
  Central Policy Staging                  No Auditing
Privilege Use
  Non Sensitive Privilege Use             No Auditing
  Other Privilege Use Events              No Auditing
  Sensitive Privilege Use                 No Auditing
Detailed Tracking
  Process Creation                        No Auditing
  Process Termination                     No Auditing
  DPAPI Activity                          No Auditing
  RPC Events                              No Auditing
  Plug and Play Events                    No Auditing
Policy Change
  Authentication Policy Change            Success
  Authorization Policy Change             No Auditing
  MPSSVC Rule-Level Policy Change         No Auditing
  Filtering Platform Policy Change        No Auditing
  Other Policy Change Events              No Auditing
  Audit Policy Change                     Success
Account Management
  User Account Management                 Success
  Computer Account Management             Success
  Security Group Management               Success
  Distribution Group Management           Success
  Application Group Management            Success
  Other Account Management Events         Success
DS Access
  Directory Service Changes               Success
  Directory Service Replication           Success
  Detailed Directory Service Replication  Success
  Directory Service Access                Success
Account Logon
  Kerberos Service Ticket Operations      Success
  Other Account Logon Events              Success
  Kerberos Authentication Service         Success
  Credential Validation                   Success
 
C:\Windows\system32>


#3 Kirill K

Kirill K

    Advanced Member

  • Administrators
  • PipPipPip
  • 107 posts
  • Gender:Male

Posted 17 January 2019 - 11:40 AM

Hi there,

 

you have incorrectly configured auditing policies, look at the statement from the documentation:

"Set the Audit Account Management parameter to 'Success', and Audit Logon Events and Audit Account Logon Events to 'Failure'."

 

I could not reproduce the similar scenario, but you may go ahead and try to use Examine option, then please let me know the result.

 

Also, when a list of locked out accounts is provided should i be able to use the 'Examine' option if there is no workstation provided?


Best regards,
Forum Engineer
 


#4 Perks

Perks

    Newbie

  • Members
  • Pip
  • 4 posts

Posted 17 January 2019 - 12:08 PM

Please ignore, waiting for group policy to update.....


#5 Perks

Perks

    Newbie

  • Members
  • Pip
  • 4 posts

Posted 17 January 2019 - 12:53 PM

Hi,

 

Under Audit Polices i'v checked account logon are all failure, account management are all success and under local policies audit account logon event is failure also.

 

Thanks.



#6 jack.watson7890

jack.watson7890

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 18 January 2019 - 06:19 AM

thank you for the information, it was really helpful. 

regards

jack 



#7 princesskea60

princesskea60

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 27 June 2019 - 10:39 AM

The portable application improvement training is predominantly centered around building up the programming abilities that empower an individual to build up his/her own application. Android Institute in Gurgaon The course additionally gives enough weightage in building up the learning of different stages for application advancement. With this training, it is workable for an individual to create applications for different issues that are convenient just as tastefully delightful.






0 user(s) are reading this topic

0 members, guests, anonymous users