none
Generating event log in domain controller instead of local pc

    Question

  • Dear Microsoft Experts,

    i am having some issue with event logging.

    here is my problem statement.

    I need to survey how many users use pen drive in my organization.

    I have created a GPO for object access through computer configuration>security policy>Advanced Audit policy configuration>system audit policies-local group policy>Object access.

    When pen drives are plugged on the PC, it generate an event ID 4656, like wise i know pen drives was attempted in that PC.

    but for central monitoring, and having >1000 pc, i cannot go on individual pc to check the security  event log.

    i have configured event subscription collector and enable all services needed. Events from windows 7 pc are successfully being forwarded to my collector. 

    so here are my issues:

    1- i have to deploy winrm 2.0 on every XP pcs's as winrm is not installed by default. i cannot find the .msi version of winrm2.0. i do not want to deploy the .exe version using installation scripts.

    2- PC having OS windows 8.1 are not forwarding any events to the collector. all the services are up (winrm quickconfig)

    3- The above 2 are alternate solutions. WHAT I ACTUALLY WANT TO DO IS THAT INSTEAD OF THE LOG (EVENT ID 4656) BEING GENERATED ON THE LOCAL PC, I WANT THE LOG TO BE GENERATED ON THE DOMAIN CONTROLLER, JUST LIKE LOGON, LOGOFF EVENT ID'S)

    4- Solution to issue no. 3 will be my no.1 priority, alternately, solution to no.2 and no.1 is highly welcomed.

    Thanks.

    Saturday, July 18, 2015 9:29 AM

Answers

  • Hi Sanjeev,

    >>1- i have to deploy winrm 2.0 on every XP pcs's as winrm is not installed by default. i cannot find the .msi version of winrm2.0. i do not want to deploy the .exe version using installation scripts.

    Although it's expressed that we don't want to use script to deploy the exe but it's still an option. Group policy can't deploy .exe files but it can help deploy startup or logon script. If we really don't want to use a script, we can consider to refer to a tool like SCCM to deploy exe files. Otherwise, we can also consider using a third-party tool to convert the .exe file to .msi file.

    >>2- PC having OS windows 8.1 are not forwarding any events to the collector. all the services are up (winrm quickconfig)

    Here, we can follow the article below to troubleshoot to see if it helps.

    Q: What are some simple tips for testing and troubleshooting Windows event forwarding and collection?

    http://windowsitpro.com/security/q-what-are-some-simple-tips-testing-and-troubleshooting-windows-event-forwarding-and-collec

    Please Note: Since the website above is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    >>WHAT I ACTUALLY WANT TO DO IS THAT INSTEAD OF THE LOG (EVENT ID 4656) BEING GENERATED ON THE LOCAL PC, I WANT THE LOG TO BE GENERATED ON THE DOMAIN CONTROLLER, JUST LIKE LOGON, LOGOFF EVENT ID'S)

    Based on my understanding, I am afraid that this should not be achievable. The reason why account logon or logoff events are logged on domain controllers is that user accounts are authenticated by domain controllers.

    Best regards,

    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, July 21, 2015 7:27 AM
    Moderator