Hi Tina,
Good instructions, but no reboot is necessary. Policy change propagates
every 5 minutes on Windows 2000 DCs; every 16 hours on Windows 2000
domain member clients (Server and Professional). In general, Windows
2000 typically only needs a reboot if the kernel or an in-use system
component is replaced, or if a filter driver needs to be installed which
interacts with a critical system driver that can't be stopped (such as
installing an AV filter driver above the NTFS file system driver.)
You can force policy propagation immediately on a Windows machine with
the following command from a cmd.exe prompt (you must be an
Administrator):
[Windows 2000] SECEDIT /REFRESHPOLICY MACHINE_POLICY
[Windows XP] GPUPDATE
Audit policy for non-domain controllers can be set in the default domain
policy:
1. Administrative Tools --> "Active Directory Users and Computers"
--> Highlight your domain name node -->
right-click --> Properties
2. Go to the Group Policy Tab, and select "Default Domain Policy", Edit.
Changes to policy are saved immediately as you make them.
Eric
-----Original Message-----
From: Tina Bird [mailto:tbird@precision-guesswork.com]
Sent: Tuesday, October 09, 2001 1:06 PM
To: Log Analysis Mailing List
Cc: tbirdat_private
Subject: [logs] Auditing on Win2k Domain Controller
I finally figured it out! Having worked with Win2k Professional and
Windows NT, I thought I just needed to configure the Local Security
Policy audit settings for the Win2k domain controller. But that's not
true. Here's what it took:
Control Panel --> Administrative Tools
Open "Active Directory Users and Computers"
Select "Domain Controllers" - Go to the Actions toolbar item, and select
"Properties"
Go to the Group Policy Tab, and select "Default Domain Controllers
Policy" (or whichever Domain Controllers Policy is used within your
environment)
Click on the "Edit" button.
Then select Computer Configuration --> Windows Settings --> Security
Settings --> Local Policies --> Audit Policy
Put a checkmark in whichever audit policies you want to
enable, close the window. At this point I rebooted, but
mostly because it was a Windows box, not because it told
me to. One of the documents I was reading yesterday said
that without the reboot, it would take five minutes for
the domain controller to notice its new policy.
For a stand-alone system, you can perform the same task
by going to the Control Panel, opening "Administrative
Tools," Local Security Policy, Local Policies, Audit Policy.
If the machine is a member of a domain but not a domain controller, the
domain's audit policy takes precedence.
Other notes on audit categories and event descriptions are available at
http://kubarb.phsx.ukans.edu/~tbird/windows-logging.html
which will shortly be linked from the main Log Analysis
site.
*whew* tbird
"I was being patient, but it took too long." -
Buffy the Vampire Slayer
LogAnalysis: http://kubarb.phsx.ukans.edu/~tbird/log-analysis.html
VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html
---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribeat_private
For additional commands, e-mail: loganalysis-helpat_private
---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribeat_private
For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Tue Oct 09 2001 - 18:55:42 PDT