Event id 807 has the following format: ID: 807 Description: Per user auditing policy set for user: Target user: %1 Policy ID: %2 Category Settings: System: %3 Logon: %4 Object Access %5 Privilege Use: %6 Detailed Tracking: %7 Policy Change: %8 Account Management: %9 DS Access: %10 Account Logon: %11 You can download the entire list of events that may have Security as source on W2K3 from here: http://www.eventid.net/downloads/w2k3security.txt. Regards, Adrian Grigorof www.eventid.net ----- Original Message ----- From: "Jean-Baptiste Marchand" <Jean-Baptiste.Marchandat_private> To: <loganalysisat_private> Sent: Tuesday, September 02, 2003 11:08 AM Subject: [logs] [Windows Server 2003] Per-user auditing policy > Hello, > > Windows Server 2003 is supposed to contain per-user auditing facilities. > This feature might be interesting to restrict auditing of security > events for certain security principals. > > As far as I know, the documentation describing how to setup a per-user > auditing policy has not yet been published. According to the following > web page, it should be in the Windows Server 2003 Resource Kit: > > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/proddocs/standard/audit_peruser.asp > > It seems that the per-user auditing policuy is stored under the LSA > registry key: > > Key: HKLM\SYSTEM\CCS\Control\Lsa\Audit\PerUserAuditing\ > > Does anybody has more information about per-user auditing? > > > Also, it seems that the current documentation of security events related > to per-user auditing is wrong. > > According to : > > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/proddocs/standard/520.asp > > the two following security events are related to per-user auditing : > > 623 Per user auditing policy was set for a user. > 625 Per user audit policy was refreshed. > > > However, the correct security events identifiers seem to be : > > 806 Per User Audit Policy was refreshed > 807 Per user auditing policy set for user > > > Follows an example of a 806 security event : > > > Event Type: Success Audit > Event Source: Security > Event Category: Policy Change > Event ID: 806 > Date: xx/xx/2003 > Time: xx:xx:xx > User: NT AUTHORITY\SYSTEM > Computer: BLAH > Description: > Per User Audit Policy was refreshed. > Number of elements: 0 > Policy ID: (0x0,0x8D58) > > > I have no example of 807 security event, as the configuration of a > per-user auditing policy is not known at this time... > > > > Jean-Baptiste Marchand > -- > Jean-Baptiste.Marchandat_private > HSC - http://www.hsc.fr/ > _______________________________________________ > LogAnalysis mailing list > LogAnalysisat_private > http://lists.shmoo.com/mailman/listinfo/loganalysis > _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Fri Sep 05 2003 - 09:32:35 PDT