none
Windows Server 2008 R2 domain controllers

    Question

  • We recently upgraded DC from Win2K3 to Win2K8 R2.

    I noticed I could not find event ID 4722,4720,4738,

    We enabled acct audit and acct mgmt audit in AD group Policy. Every time I search these event ID in event viewer, nothing show up. I event create a user and delete a user.

    Win2K8 security log is big. I scroll all the down to the bottom but only see one day's event.

    Cannot find the previous days' event.

    Tuesday, February 28, 2012 7:09 PM

Answers

  • Hello,


    Please make sure Overwrite Events as Needed(oldest events first) checkbox had been checked. Also confirm that account system, adminstrators and eventlog have full control permission to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security, then restart the computer.
     

    If account audit is applied in GPO, try to use RSoP command to confirm that the policy is applied successfully or not.


    If the is policy applied successfully, please try to create a new security log

    Go to services.msc, stop Windows Event Log service.
    Go to C:/Windows/system32/winevt/Logs, rename the security.evtx to security_old.evtx.
    Go to services.msc and restart Windows Event Log
    Reboot the computer. And a new security.evtx would be generated.


    Check if this helps.


    Thanks
    ZHANG

    Wednesday, February 29, 2012 3:57 AM
    Moderator

All replies

  • We recently upgraded DC from Win2K3 to Win2K8 R2.

    I noticed I could not find event ID 4722,4720,4738,

    We enabled acct audit and acct mgmt audit in AD group Policy. Every time I search these event ID in event viewer, nothing show up. I event create a user and delete a user.

    Win2K8 security log is big. I scroll all the down to the bottom but only see one day's event.

    Cannot find the previous days' event.

    Tuesday, February 28, 2012 7:09 PM
  • Hey,

    did you set up object auditing ?

    Maybe this helps you:
    http://technet.microsoft.com/en-us/library/cc731607(v=ws.10).aspx

    Greets
    Stephan

    Tuesday, February 28, 2012 8:03 PM
  • Yes, we did but I noticed security logs are overwrite so fast. I only can see one day's, the default set is 20480kb be overwirtten.
    Tuesday, February 28, 2012 11:51 PM
  • Hello,


    Please make sure Overwrite Events as Needed(oldest events first) checkbox had been checked. Also confirm that account system, adminstrators and eventlog have full control permission to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security, then restart the computer.
     

    If account audit is applied in GPO, try to use RSoP command to confirm that the policy is applied successfully or not.


    If the is policy applied successfully, please try to create a new security log

    Go to services.msc, stop Windows Event Log service.
    Go to C:/Windows/system32/winevt/Logs, rename the security.evtx to security_old.evtx.
    Go to services.msc and restart Windows Event Log
    Reboot the computer. And a new security.evtx would be generated.


    Check if this helps.


    Thanks
    ZHANG

    Wednesday, February 29, 2012 3:57 AM
    Moderator
  • Thank you, Zhang for your good suggestion.

    I think the problem is "Overwrite events as needed". We only keep it 20MB on the domain controller. One day events are much over 20MB. So that is why I could not see event ID 4738 or 4720 which are less occurs than other event ID. EVENT ID 4738/4720 was overwritten, I think.

    Do you think that will be the case? 

    Wednesday, February 29, 2012 4:02 PM
  • Hello,

    double posting please stick to your other one.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Wednesday, February 29, 2012 9:51 PM
  • Hi,


    Yes, that’s possibly a reason why you cannot find Event ID 4720/4728.  What about increase the Max Log size from 20Mb to a larger one say 200Mb and check.


    Thanks
    ZHANG

    Thursday, March 01, 2012 8:14 AM
    Moderator