locked
Generate security event in domain controller instead of local PC RRS feed

  • Question

  • Dear Microsoft Experts,

    i am having some issue with event logging.

    here is my problem statement.

    I need to survey how many users use pen drive in my organization.

    I have created a GPO for object access through computer configuration>security policy>Advanced Audit policy configuration>system audit policies-local group policy>Object access.

    When pen drives are plugged on the PC, it generate an event ID 4656, like wise i know pen drives was attempted in that PC.

    but for central monitoring, and having >1000 pc, i cannot go on individual pc to check the security  event log.

    i have configured event subscription collector and enable all services needed. Events from windows 7 pc are successfully being forwarded to my collector. 

    so here are my issues:

    1- i have to deploy winrm 2.0 on every XP pcs's as winrm is not installed by default. i cannot find the .msi version of winrm2.0. i do not want to deploy the .exe version using installation scripts.

    2- PC having OS windows 8.1 are not forwarding any events to the collector. all the services are up (winrm quickconfig)

    3- The above 2 are alternate solutions. WHAT I ACTUALLY WANT TO DO IS THAT INSTEAD OF THE LOG (EVENT ID 4656) BEING GENERATED ON THE LOCAL PC, I WANT THE LOG TO BE GENERATED ON THE DOMAIN CONTROLLER, JUST LIKE LOGON, LOGOFF EVENT ID'S)

    4- Solution to issue no. 3 will be my no.1 priority, alternately, solution to no.2 and no.1 is highly welcomed.

    Thanks.

    Saturday, July 18, 2015 9:27 AM