Hello, Windows Server 2003 is supposed to contain per-user auditing facilities. This feature might be interesting to restrict auditing of security events for certain security principals. As far as I know, the documentation describing how to setup a per-user auditing policy has not yet been published. According to the following web page, it should be in the Windows Server 2003 Resource Kit: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/proddocs/standard/audit_peruser.asp It seems that the per-user auditing policuy is stored under the LSA registry key: Key: HKLM\SYSTEM\CCS\Control\Lsa\Audit\PerUserAuditing\ Does anybody has more information about per-user auditing? Also, it seems that the current documentation of security events related to per-user auditing is wrong. According to : http://www.microsoft.com/technet/prodtechnol/windowsserver2003/proddocs/standard/520.asp the two following security events are related to per-user auditing : 623 Per user auditing policy was set for a user. 625 Per user audit policy was refreshed. However, the correct security events identifiers seem to be : 806 Per User Audit Policy was refreshed 807 Per user auditing policy set for user Follows an example of a 806 security event : Event Type: Success Audit Event Source: Security Event Category: Policy Change Event ID: 806 Date: xx/xx/2003 Time: xx:xx:xx User: NT AUTHORITY\SYSTEM Computer: BLAH Description: Per User Audit Policy was refreshed. Number of elements: 0 Policy ID: (0x0,0x8D58) I have no example of 807 security event, as the configuration of a per-user auditing policy is not known at this time... Jean-Baptiste Marchand -- Jean-Baptiste.Marchandat_private HSC - http://www.hsc.fr/ _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Wed Sep 03 2003 - 17:06:46 PDT