none
Account Management -> Computer Account Management - Failure

    Question

  • Hello,

    I am new in windows 2012 .

    I am working on the following rule, .Can any one tell me "what activity should i do to get the  failure log".just want to check this policy.   

    The system must be configured to audit Account Logon - Computer Account Management failures


    To get the logs  i have done the following (Os is windows 2012 r2).

    Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> "Audit Computer Account Management" with "Failure" selected.



    Thursday, October 6, 2016 11:18 PM

Answers

  • Hi,
    If you define audit account management setting, you can specify whether to audit successes, audit failures, or not to audit the event type at all. Success audits generate an audit entry when any account management event is successful. Failure audits generate an audit entry when any account management event fails.
    https://technet.microsoft.com/en-us/library/cc976377.aspx
    You could do a test to remove a computer, but make sure that the activity must fail and then see if the failure event is logged.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by vijay a singh Tuesday, October 11, 2016 11:17 PM
    Monday, October 10, 2016 3:14 AM
    Moderator
  • Hi,
    In my opinion, it seems to be expected behavior, as your test failed in the process to authenticate the permission for removing computer, not the actual removing process. The failure log might be logged when the user with administrator account fail to remove computer.
    As Audit account management include that password is set or changed, you could do a test as below: reset a user/computer password which don’t meet the complexity in your password policy, then see if any log is recorded.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by vijay a singh Wednesday, October 12, 2016 8:42 PM
    Wednesday, October 12, 2016 2:15 AM
    Moderator

All replies

  • Hi,
    Audit account management determines whether to audit each event of account management on a computer. Examples of account management events include:
    • A user account or group is created, changed, or deleted
    • A user account is renamed, disabled, or enabled
    • A password is set or changed
    Please check: https://technet.microsoft.com/en-us/library/cc976377.aspx
    If you want to audit account logon, you might need to enable audit account logon events policy or audit logon events policy, it determines whether to audit each instance of a user logging on or logging off of another computer where this computer was used to validate the account. Please see:
    Audit account logon events https://technet.microsoft.com/en-us/library/cc976367.aspx
    Audit logon events https://technet.microsoft.com/en-us/library/cc976395.aspx
    So please make your target clearer to us which would be helpful to troubleshoot further.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, October 7, 2016 1:58 AM
    Moderator
  • Good explained above and I hope, it should be helpful to resolve your asked concern in depth.

    Moreover, you may also walk through this another informative article which also looks an ideal approach to work around your situation - https://www.lepide.com/blog/audit-successful-logon-logoff-and-failed-logons-in-activedirectory/

    Please check if it helps you.

    Friday, October 7, 2016 9:59 AM
  • Hi Wendy Jiang and  michaelsymondson 

    Thanks for your prompt reply. 

    Actually I configured this policy  for success and failure both logs when i am joining or removing  the computer to domain then I am getting a logs for  success .But I want failure logs also, but i don't know what activity should i do to get the failure logs.

    Can you please suggest 

    Thanks in advance

     

    Friday, October 7, 2016 5:04 PM
  • Hi,
    If you define audit account management setting, you can specify whether to audit successes, audit failures, or not to audit the event type at all. Success audits generate an audit entry when any account management event is successful. Failure audits generate an audit entry when any account management event fails.
    https://technet.microsoft.com/en-us/library/cc976377.aspx
    You could do a test to remove a computer, but make sure that the activity must fail and then see if the failure event is logged.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by vijay a singh Tuesday, October 11, 2016 11:17 PM
    Monday, October 10, 2016 3:14 AM
    Moderator

  • Hi Wendy Jiang,


    Thanks for Reply
    I tried to remove the computer with Admin right then the audit is showing sccess and when I am trying to remove the computer from stranded user then its asking
    for admin password.If we provide the admin password then also its showing successful but when i tried to remove the computer with wrong password then its not showing any log.success logs are coming for everything but not getting failed logs.

    Thanks

    Tuesday, October 11, 2016 11:26 PM
  • Hi,
    In my opinion, it seems to be expected behavior, as your test failed in the process to authenticate the permission for removing computer, not the actual removing process. The failure log might be logged when the user with administrator account fail to remove computer.
    As Audit account management include that password is set or changed, you could do a test as below: reset a user/computer password which don’t meet the complexity in your password policy, then see if any log is recorded.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by vijay a singh Wednesday, October 12, 2016 8:42 PM
    Wednesday, October 12, 2016 2:15 AM
    Moderator