Security Auditing Issue

[Paperlantern]

I'm wondering if anyone here could help me out here. Ive got a 2003 Server as an active Domain Controller in our forest. We have a forwarder on this box forwarding log events to Splunk. I noticed that in Splunk i was not getting ANY Audit Failures, even when i tried to create them on purpose. Looking directly at the domain controller's Security Log, it also shows NOTHING but Success Audits. Confused, i went into active directory users and computers, right clicked on the top level of the domain, clicked properties, went to Windows Settings -> Security Settings -> Local Policies -> Audit Policy. There, Audit account logon events is set to Success, Failure. I was thinking maybe ONLY Success would have been checked, peventing the failures from showing, but its not, it IS set to audit both. So failures should at least show up. They do not, even when trying to access the box DIRECTLY from the console, attempt a log in, type the wrong password, NOTHING shows in the log. Not a single peep about the fact someone just failed to log in.

Am I missing something here? Am I in the wrong place to edit the policy properly? All research I've done shows that I am, and when i view thier videos or screen shots in thier examples, the failure audits happily populate into the log. On mine, Success, Success, Success, as far as the eye can see.

Halp!

 

[seepy83]

You're doing this through Group Policy, right? via Default Domain Policy? You said that you have "Audit Account Logon Events" set to Success and Failure. What about "Audit Logon Events"? It's been a long time since I've read the documentation on these, but I just took a quick look at my GPO here and I have both of those enabled for Success and Failure.

 

[Paperlantern]

Yes that is exactly where I'm looking. That isn't enabled on mine, I thought it just meant it will log the event to the local box that the person tried to log onto, but not necessarily report it to the domain controller. I could have misunderstood the explanation of course and I will turn that on now to see if that make a difference. Will report back in a little while. Thanks.

 

[Paperlantern]

Still nothing but Success Audits. i even tried setting both to Failures ONLY. Still successes come in several at a time every few seconds.

 

[seepy83]

Maybe check your Default Domain Controllers Policy?

You could also use the Group Policy Modeling wizard to view what policies are set on the Domain Controllers OU and what GPO is applying policy.

Maybe go into the Local Security Policy (secpol.msc) on the DC and see what Audit settings are enabled?

 

[phoenix79]

Also, make sure you're refreshing your GP on the machines you're testing and logging on once you change the GP. If you don't and they don't take effect all your testing is worthless

 

[Firetower]

refresh group policy on a node then run rsop.msc see where the group policy settings are coming from. (local or domain).

Make sure you have the policy linked properly.

 

[stlcardinals]

Also it is a good idea to not change the default domain policy, but make a new gpo to implement your changes on.

 

[rasczak]

is inheritance blocked? (little blue ! will indicate blocked inheritance in a policy) two, are the links enabled?

install GPMC if not installed already to get a better idea of how your GP is setup.

Also, I absolutely agree with stlcardinals. add gpo's by creating new policies instead of editing your baseline gpo. this way you can troubleshoot better bad policy settings.