Failed logon event of domain account is not recorded on domain member server!
-
Saturday, March 02, 2013 5:52 AM
Hello,
I have trouble with Event Log in Windows 2008 server.
My server is Domain member. I set Audit Policy for both Failed and Success but the server just record log of Success logon (of domain account) and Failed logon of domain account on this domain member server is recorded on Domain Controller. I don’t know how to fix this issue. Any guidence is appreciated.
-Peace.
All Replies
-
Saturday, March 02, 2013 4:38 PM
Run this on elevated command prompt : auditpol /set /subcategory:"Logon" /success:enable /failure:enable
-
Monday, March 04, 2013 7:02 AM
Hello ArnavSharma,
Actually I already configured this audit but failed logon events still are recorded on Domain Controller instead of Domain Member Server. I don’t know why.I also backup the audit policy as the following.
=====================Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting,Setting Value
DBSRV01,System,IPsec Driver,{0CCE9213-69AE-11D9-BED3-505054503030},No Auditing,,0
DBSRV01,System,System Integrity,{0CCE9212-69AE-11D9-BED3-505054503030},Success and Failure,,3
DBSRV01,System,Security System Extension,{0CCE9211-69AE-11D9-BED3-505054503030},No Auditing,,0
DBSRV01,System,Security State Change,{0CCE9210-69AE-11D9-BED3-505054503030},Success,,1
DBSRV01,System,Other System Events,{0CCE9214-69AE-11D9-BED3-505054503030},Success and Failure,,3
DBSRV01,System,Network Policy Server,{0CCE9243-69AE-11D9-BED3-505054503030},Success and Failure,,3
DBSRV01,System,Other Logon/Logoff Events,{0CCE921C-69AE-11D9-BED3-505054503030},Success and Failure,,3
DBSRV01,System,Special Logon,{0CCE921B-69AE-11D9-BED3-505054503030},Success and Failure,,3
DBSRV01,System,IPsec Extended Mode,{0CCE921A-69AE-11D9-BED3-505054503030},Success and Failure,,3
DBSRV01,System,IPsec Quick Mode,{0CCE9219-69AE-11D9-BED3-505054503030},Success and Failure,,3
DBSRV01,System,IPsec Main Mode,{0CCE9218-69AE-11D9-BED3-505054503030},Success and Failure,,3
DBSRV01,System,Account Lockout,{0CCE9217-69AE-11D9-BED3-505054503030},Success and Failure,,3
DBSRV01,System,Logoff,{0CCE9216-69AE-11D9-BED3-505054503030},Success and Failure,,3
DBSRV01,System,Logon,{0CCE9215-69AE-11D9-BED3-505054503030},Success and Failure,,3
DBSRV01,System,Handle Manipulation,{0CCE9223-69AE-11D9-BED3-505054503030},No Auditing,,0
DBSRV01,System,Detailed File Share,{0CCE9244-69AE-11D9-BED3-505054503030},No Auditing,,0
DBSRV01,System,Other Object Access Events,{0CCE9227-69AE-11D9-BED3-505054503030},No Auditing,,0
DBSRV01,System,Filtering Platform Connection,{0CCE9226-69AE-11D9-BED3-505054503030},No Auditing,,0
DBSRV01,System,Filtering Platform Packet Drop,{0CCE9225-69AE-11D9-BED3-505054503030},No Auditing,,0
DBSRV01,System,File Share,{0CCE9224-69AE-11D9-BED3-505054503030},No Auditing,,0
DBSRV01,System,Application Generated,{0CCE9222-69AE-11D9-BED3-505054503030},No Auditing,,0
DBSRV01,System,Certification Services,{0CCE9221-69AE-11D9-BED3-505054503030},No Auditing,,0
DBSRV01,System,SAM,{0CCE9220-69AE-11D9-BED3-505054503030},No Auditing,,0
DBSRV01,System,Kernel Object,{0CCE921F-69AE-11D9-BED3-505054503030},No Auditing,,0
DBSRV01,System,Registry,{0CCE921E-69AE-11D9-BED3-505054503030},No Auditing,,0
DBSRV01,System,File System,{0CCE921D-69AE-11D9-BED3-505054503030},No Auditing,,0
DBSRV01,System,Non Sensitive Privilege Use,{0CCE9229-69AE-11D9-BED3-505054503030},No Auditing,,0
DBSRV01,System,Other Privilege Use Events,{0CCE922A-69AE-11D9-BED3-505054503030},No Auditing,,0
DBSRV01,System,Sensitive Privilege Use,{0CCE9228-69AE-11D9-BED3-505054503030},No Auditing,,0
DBSRV01,System,DPAPI Activity,{0CCE922D-69AE-11D9-BED3-505054503030},No Auditing,,0
DBSRV01,System,Process Termination,{0CCE922C-69AE-11D9-BED3-505054503030},No Auditing,,0
DBSRV01,System,Process Creation,{0CCE922B-69AE-11D9-BED3-505054503030},No Auditing,,0
DBSRV01,System,RPC Events,{0CCE922E-69AE-11D9-BED3-505054503030},No Auditing,,0
DBSRV01,System,MPSSVC Rule-Level Policy Change,{0CCE9232-69AE-11D9-BED3-505054503030},No Auditing,,0
DBSRV01,System,Other Policy Change Events,{0CCE9234-69AE-11D9-BED3-505054503030},No Auditing,,0
DBSRV01,System,Filtering Platform Policy Change,{0CCE9233-69AE-11D9-BED3-505054503030},No Auditing,,0
DBSRV01,System,Audit Policy Change,{0CCE922F-69AE-11D9-BED3-505054503030},No Auditing,,0
DBSRV01,System,Authorization Policy Change,{0CCE9231-69AE-11D9-BED3-505054503030},No Auditing,,0
DBSRV01,System,Authentication Policy Change,{0CCE9230-69AE-11D9-BED3-505054503030},No Auditing,,0
DBSRV01,System,Other Account Management Events,{0CCE923A-69AE-11D9-BED3-505054503030},Success and Failure,,3
DBSRV01,System,Application Group Management,{0CCE9239-69AE-11D9-BED3-505054503030},Success and Failure,,3
DBSRV01,System,Distribution Group Management,{0CCE9238-69AE-11D9-BED3-505054503030},Success and Failure,,3
DBSRV01,System,Security Group Management,{0CCE9237-69AE-11D9-BED3-505054503030},Success and Failure,,3
DBSRV01,System,Computer Account Management,{0CCE9236-69AE-11D9-BED3-505054503030},Success and Failure,,3
DBSRV01,System,User Account Management,{0CCE9235-69AE-11D9-BED3-505054503030},Success and Failure,,3
DBSRV01,System,Detailed Directory Service Replication,{0CCE923E-69AE-11D9-BED3-505054503030},No Auditing,,0
DBSRV01,System,Directory Service Access,{0CCE923B-69AE-11D9-BED3-505054503030},Success,,1
DBSRV01,System,Directory Service Replication,{0CCE923D-69AE-11D9-BED3-505054503030},No Auditing,,0
DBSRV01,System,Directory Service Changes,{0CCE923C-69AE-11D9-BED3-505054503030},No Auditing,,0
DBSRV01,System,Other Account Logon Events,{0CCE9241-69AE-11D9-BED3-505054503030},Success and Failure,,3
DBSRV01,System,Kerberos Service Ticket Operations,{0CCE9240-69AE-11D9-BED3-505054503030},Success and Failure,,3
DBSRV01,System,Credential Validation,{0CCE923F-69AE-11D9-BED3-505054503030},Success and Failure,,3
DBSRV01,System,Kerberos Authentication Service,{0CCE9242-69AE-11D9-BED3-505054503030},Success and Failure,,3
DBSRV01,,Option:CrashOnAuditFail,,Disabled,,0
DBSRV01,,Option:FullPrivilegeAuditing,,Disabled,,0
DBSRV01,,Option:AuditBaseObjects,,Disabled,,0
DBSRV01,,Option:AuditBaseDirectories,,Disabled,,0=====================
-
Monday, March 04, 2013 7:09 AM
Post the results for auditpol /get /category:*
. Run this on elevated command prompt
- Proposed As Answer by Yan Li_Microsoft Contingent Staff, Moderator Wednesday, March 06, 2013 7:06 AM
-
Wednesday, March 06, 2013 7:12 AMModerator
Hi,
As far as I know, those logon events should be recorded on Domain Controllers, not on workstations.
Account logon events. Audit this to record each instance of a user logging on to or logging off from another computer in which this computer is used to validate the account. Account logon events are generated in the domain controller's Security log when a domain user account is authenticated on a domain controller. These events are separate from logon events, which are generated in the local Security log when a local user is authenticated on a local computer. Account logoff events are not tracked on the domain controller.
For more details:
http://technet.microsoft.com/en-us/library/dd349800(v=ws.10).aspx
Hope this helps.
Regards,
Cataleya Li
TechNet Community Support
- Marked As Answer by Yan Li_Microsoft Contingent Staff, Moderator Monday, March 11, 2013 2:02 AM
- Unmarked As Answer by Yan Li_Microsoft Contingent Staff, Moderator Tuesday, March 12, 2013 1:23 AM
-
Monday, March 11, 2013 7:40 AMIs this from domain controller? If yes, I then events should be getting logged.
-
Monday, March 11, 2013 7:47 AM
Hello Yan Li,
When I read the document I also think like that.
However the logs of Success logon (of domain user account) are still recorded on member server's security log instead of Domain Controller in my current environment. Do you have any ideas?
-Peace.
-
Tuesday, March 12, 2013 1:25 AMModerator
Hi,
The audit policies should be applied to your member servers, and the logs should be recorded on DCs.
And please check out all your DCs for those events.
Regards,
Yan Li
Cataleya Li
TechNet Community Support -
Tuesday, March 12, 2013 4:37 AM
No, it is from member server. I want to get logs from member server for local account and domain user account.
And current situation, the logs of Success logon (of domain user account) are still recorded on this member server's security log instead of Domain Controller. The logs of Failed logon (of domain user account) are recorded on DC. So it is difficult for me to manage event logs.
-
Tuesday, March 12, 2013 4:39 AM
Hello Yan Li,
I want to get logs from member server for local account and domain user account.
And current situation, the logs of Success logon (of domain user account) are still recorded on this member server's security log instead of Domain Controller. The logs of Failed logon (of domain user account) are recorded on DC. So it is difficult for me to manage event logs.
-Peace.
-
Wednesday, March 13, 2013 8:59 AM
Hi,
Please run auditpol /get /category:* on your MEMEBER SERVER which you want to audit logon events and past the result here.
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
-
Thursday, March 14, 2013 8:59 AM
Hello Chris,
The following is the result.
C:\Windows\system32>auditpol /get /category:*
System audit policy
Category/Subcategory Setting
System
Security System Extension No Auditing
System Integrity Success and Failure
IPsec Driver No Auditing
Other System Events Success and Failure
Security State Change Success
Logon/Logoff
Logon Success and Failure
Logoff Success and Failure
Account Lockout Success and Failure
IPsec Main Mode Success and Failure
IPsec Quick Mode Success and Failure
IPsec Extended Mode Success and Failure
Special Logon Success and Failure
Other Logon/Logoff Events Success and Failure
Network Policy Server Success and Failure
Object Access
File System No Auditing
Registry No Auditing
Kernel Object No Auditing
SAM No Auditing
Certification Services No Auditing
Application Generated No Auditing
Handle Manipulation No Auditing
File Share No Auditing
Filtering Platform Packet Drop No Auditing
Filtering Platform Connection No Auditing
Other Object Access Events No Auditing
Detailed File Share No Auditing
Privilege Use
Sensitive Privilege Use No Auditing
Non Sensitive Privilege Use No Auditing
Other Privilege Use Events No Auditing
Detailed Tracking
Process Termination No Auditing
DPAPI Activity No Auditing
RPC Events No Auditing
Process Creation No Auditing
Policy Change
Audit Policy Change No Auditing
Authentication Policy Change No Auditing
Authorization Policy Change No Auditing
MPSSVC Rule-Level Policy Change No Auditing
Filtering Platform Policy Change No Auditing
Other Policy Change Events No Auditing
Account Management
User Account Management Success and Failure
Computer Account Management Success and Failure
Security Group Management Success and Failure
Distribution Group Management Success and Failure
Application Group Management Success and Failure
Other Account Management Events Success and Failure
DS Access
Directory Service Changes No Auditing
Directory Service Replication No Auditing
Detailed Directory Service Replication No Auditing
Directory Service Access Success
Account Logon
Kerberos Service Ticket Operations Success and Failure
Other Account Logon Events Success and Failure
Kerberos Authentication Service Success and Failure
Credential Validation Success and FailureC:\Windows\system32>
-
Friday, March 15, 2013 1:17 AM
Hi,
From your result, both the audit logon/logoff and audit account logon have configured as success and failure. If both account logon and logon./logoff audit policy categories are enabled, logons that use a domain account generate a logon or logoff event on the workstation or server, and they generate an account logon event on the domain controller. Additionally, interactive logons to a member server or workstation that use a domain account generate a logon event on the domain controller as the logon scripts and policies are retrieved when a user logs on.
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
- Proposed As Answer by Yan Li_Microsoft Contingent Staff, Moderator Monday, March 18, 2013 2:27 AM
- Marked As Answer by Santosh BhandarkarMicrosoft Community Contributor, Moderator Friday, March 22, 2013 3:17 AM
.png)
