[logs] [Windows Server 2003] Per-user auditing policy

From: Jean-Baptiste Marchand (Jean-Baptiste.Marchandat_private)
Date: Tue Sep 02 2003 - 08:08:44 PDT

  • Next message: Steffen Kluge: "Re: [logs] Log Script"

    Windows Server 2003 is supposed to contain per-user auditing facilities.
    This feature might be interesting to restrict auditing of security
    events for certain security principals.
    As far as I know, the documentation describing how to setup a per-user
    auditing policy has not yet been published. According to the following
    web page, it should be in the Windows Server 2003 Resource Kit:
    It seems that the per-user auditing policuy is stored under the LSA
    registry key:
    Key: HKLM\SYSTEM\CCS\Control\Lsa\Audit\PerUserAuditing\
    Does anybody has more information about per-user auditing?
    Also, it seems that the current documentation of security events related
    to per-user auditing is wrong.
    According to :
    the two following security events are related to per-user auditing : 
    623 	Per user auditing policy was set for a user.
    625 	Per user audit policy was refreshed.
    However, the correct security events identifiers seem to be :
    806 	Per User Audit Policy was refreshed
    807 	Per user auditing policy set for user
    Follows an example of a 806 security event :
    Event Type:	Success Audit
    Event Source:	Security
    Event Category:	Policy Change 
    Event ID:	806
    Date:		xx/xx/2003
    Time:		xx:xx:xx
    Computer:	BLAH
    Per User Audit Policy was refreshed.
     	Number of elements:	0
     	Policy ID:	(0x0,0x8D58)
    I have no example of 807 security event, as the configuration of a
    per-user auditing policy is not known at this time...
    Jean-Baptiste Marchand
    HSC - http://www.hsc.fr/
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Wed Sep 03 2003 - 17:06:46 PDT