event audit logging levels.

Batch, ASP, JScript, Kixtart, etc.
Forum rules
Do not post any licensing information in this forum.

Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
Locked
User avatar
cymba
Posts: 23
Joined: Thu Jan 27, 2011 8:23 am

event audit logging levels.

Post by cymba » Thu Jan 19, 2012 6:08 am

Hi, I was hoping someone can help me with some information. I have a secedit command that is calling an .inf file. I am trying to convert some of this stuff to a GPO. In the [event audit] portion I am trying to decipher the logging levels e.g(auditobjectaccess = 3) the logging levels range from 0 to 3, can someone direct me to here i can discern what these logging levels represent? Thanks in advance.

jvierra
Posts: 13901
Joined: Tue May 22, 2007 9:57 am
Contact:

event audit logging levels.

Post by jvierra » Thu Jan 19, 2012 7:59 am

0=None
1=Success
2=Failure
3=Both

DO not look a secpol or secedit. Those went out after W2kSP2 I think.

Open MMC and add teh Grpoup Policy snapin on any machine and set it to use the LocalMachine. This willdsiplay the correct current settings. The ones you are looking at may not be correct. You willalso see that the settings are already decoded as they will need to be used in Group Policy. GP Edit converts the older policy settings whn it finds them. Tisis not one but others have been updated.

If you set object access to 3 you will slow the machine to a crawl because every object that gts accesses will generate an audit.


AuditPolicyChange should be set to 3 because it will tell you when someone is trying to break in.

Auditing every access to DS will also slow the machine down.

These settings for object and DS are for diagnostic purposes and should only be used when necessary.

You should set AuditAccountLogon to 3


jvierra
Posts: 13901
Joined: Tue May 22, 2007 9:57 am
Contact:

event audit logging levels.

Post by jvierra » Thu Jan 19, 2012 8:17 am

Sorry - this is a scripting forum and no a help desk.

These things can generally be answered by using google.

I found it in a couple of quick cliks.

Hint its a dword and is set to allow all hackers intant access. It should be set to 4,0 and NOT 4,4

In case you haven't discovered this. The decodes for all of this are in the INF file.

Try posting in the WIndows server forums. They provide a more help desk like forum and can answer your questions.

jvierra
Posts: 13901
Joined: Tue May 22, 2007 9:57 am
Contact:

event audit logging levels.

Post by jvierra » Thu Jan 19, 2012 8:57 am

Okay, Thanks for your help. but honestly these are not help desk question. I would challenge you to find any help desk personnel that would know this..

However thanks for your help. I appreciate it.!


Anyone trained in Windows Administration would know the answers to these questions. Microsoft support has trained people. Certification requires that you either know these answers or you know how to find the answers in the documentation.

I will admint that evensome trained admins try to use secedit to updte policy. I have not yet fifured out why although it is the only way to so certain things in a workgroup although GP can be dsitributed in a workgroup too.

jvierra
Posts: 13901
Joined: Tue May 22, 2007 9:57 am
Contact:

event audit logging levels.

Post by jvierra » Thu Jan 19, 2012 9:31 am

No debate - AD is not Group Policy.

This is a scripting forum. You aare asking general questions. I am glad I could get you started but I don't want to turn the forum into a general purpose help desk.

Did you certify in AD before Group Policy was made a part of the certification?

GP is an intimate part of AD and is covered extensivly in all of the AD courses. Auditing is one of the main issues becuse it is how we diagnose a great many AD issues.


jvierra
Posts: 13901
Joined: Tue May 22, 2007 9:57 am
Contact:

event audit logging levels.

Post by jvierra » Thu Jan 19, 2012 10:08 am

All of these things have been available with Group Policy since W2K.

DOn't worry about it. I just donm't want us to wear out teh forum on things that are not about scripting. Believe me. The guys in the Group Policy forum can answer these questions even better than I can.

Good lucjk and stay away from secedit. Use Local POlicy MMC snap-in and you will not have these issues. SECedit doe not deal with any of this gracefully.

Locked