sticky
NPS events and audit policy RRS feed

  • דיון כללי

  • View NPS events here using Event Viewer: Custom Views\Server Roles\Network Policy and Access Services

    If you do not see any events here, it might be that auditing is not enabled. Use the commands below to ensure that your audit policy is configured to allow success and failure events.

    1. Run this command from an elevated prompt on NPS to see your current audit policy settings:


    auditpol /get /subcategory:"Network Policy Server"


    If both success and failure events are enabled, the output should be:

    System audit policy

    Category/Subcategory                      Setting
    Logon/Logoff
      Network Policy Server                   Success and Failure

    2. If it shows ‘No auditing’, you can run this command to enable it:


    auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable


    Note: Even if audit policy appears to be fully enabled, it sometimes helps to disable and then re-enable this setting.

    יום רביעי 12 ינואר 2011 21:43
    בעלים

כל התגובות

  • Thank you so much!

    I was searching for this. the problem i am having is that NPS logs only Successful events but not Failures. Im using both PEAP and EAP-TLS for authentication and according to technet 
    http://technet.microsoft.com/en-us/library/cc753898(WS.10).aspx i need to edit the following registry key to enable logging for TLS at 

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\EventLogging 

    Tried it out but still no events yet wireshark logs keeps showing the authentication as 'access-reject'. Do i need to reboot the server after changing the registry key? 

    Just wondering if there is a need to edit/change/modify anything else to make sure that NPS logs both success and failure events regardless of what type of authentication its coming from. 

    Appreciate the help. 


    hanglj
    שבת 06 אוגוסט 2011 04:39
  • Hi Greg,

     

    Tested the command and it works just fine! Thanks!


    hanglj
    יום שני 08 אוגוסט 2011 05:32
  • Hi hanglj

    after doing anything in registry you must reboot the server ..... like makes the server Wins proxy

    Rabei


    Avatar of hanglj

    hanglj

    BT Frontline

    0
    Recent Achievements 1 0 0
    First Forums Reply
    hanglj's threads View Profile
    יום חמישי 18 אוגוסט 2011 21:48
  • Thanks for the tip Greg. I've run this command, and while it did turn on Success and Failure auditing under the NPS server role in Event Viewer, I found that after a short amount of time this value would be overridden back to Not Enabled. Being that I have NPS on my domain controllers, I modified the Default Domain Controllers Group Policy and enabled the setting "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings". Even though I've enabled this, I'm still finding that this setting has been overridden.

    Any suggestions?

    Thanks!
    Darren

    יום שישי 23 מרץ 2012 18:34
  • Hi Darren,

    Sorry I didn't see your question on this sticky until just tonight.

    I would try setting this policy to No Override. See http://technet.microsoft.com/en-us/library/cc758344(v=ws.10).aspx.

    -Greg

    יום שני 11 יוני 2012 07:18
    בעלים
  • Hi Greg - appreciate the reply.

    I ended up enabling Network Policy Server logon/logoff auditing via group policy. The success/failure setting can be found at Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies -> Logon/Logoff -> Audit Network Policy Server.

    This did the trick for me!

    Darren


    Darren

    יום שני 11 יוני 2012 13:10