Windows 2008 Server Audit policy
-
Tuesday, January 08, 2013 7:32 AM
Dear All,
We have windows 2008 Server 64bit along with SP1. we have ADS, DNS GPO it's working fine .
I would like to implement Audit policy for all my GPO client users and servers.
My current environment .
we have mixed OS users XP and 2003.
My task .
1. How can i monitor which user login to which PC
2. How can i monitor which System admin log in to which servers ( We have many servers)
3. How can i monitor which system admin modify ADS users password or create users or delete users.
Pls can u give me a good user guide .
Best Thanks
Subash
- Moved by Yan Li_Microsoft Contingent Staff, Moderator Friday, January 11, 2013 5:18 AM
All Replies
-
Tuesday, January 08, 2013 7:53 AM
Hi,
checking this article:
http://technet.microsoft.com/de-de/library/dd772712%28v=ws.10%29.aspx
Kind regards,
Tim
MCITP, MCTS
http://directoryadmin.blogspot.comThis posting is provided 'AS IS' with no warranties or guarantees and confers no rights.
"If this thread answered your question, please click on "Mark as Answer"
-
Tuesday, January 08, 2013 9:44 AM
Hi,
You can enable the corresponding audit options in a domain scoped gpo, and if needed(if you want to consider also local users) configure event forwarding.
The problem that you will have to configure custum wiew in event viewer(filter). It wont be an easy task.
You can use a third party tool that parses this details an give an easy to use dashboards:
http://www.manageengine.com/products/active-directory-audit/index.html
Some AD attributes may be also useful:
http://msdn.microsoft.com/en-us/library/windows/desktop/ms676824(v=vs.85).aspx
- Edited by Optistic Tuesday, January 08, 2013 9:46 AM
-
Friday, January 11, 2013 5:18 AMModerator
Hi,
Based on my knowledge, logon events are auditted by default. We could check the default domain policy under:
computer configuration\Windows setting\Security settings\local policy\audit policy\audit logon events
And when users logon to domain, the account should be authenticated by DC, and then a logon event (4624 (logon) and 4634 (logoff)) will be logged on the DC.
For audit changing password, please refer to the below links:
Audit account management
http://technet.microsoft.com/en-us/library/cc737542(v=ws.10).aspx
Auditing Password and Account Lockout Policy on Windows Server 2008 and R2
Regards,
Yan Li
Cataleya Li
TechNet Community Support
- Marked As Answer by Yan Li_Microsoft Contingent Staff, Moderator Tuesday, January 15, 2013 2:19 AM
-
Monday, February 04, 2013 9:47 AM
The 53 security audit policy settings under security settings / Advanced audit policy configuration can help your organization audit compliance with important business-related and security-related rules by tracking precisely defined activities
Either you can go for a complete tracking solution which can track your windows server; & audit any changes/read/delete and user activity with in a network
Check this out also
.png)
