Due to a scheduling problem we were not able to ship the per-user auditing management utility in the Resource Kit. Per-user auditing policy will be included in Windows XP SP2, along with the management utility. Direct modification of the per-user auditing policy store (registry) is not supported and will change in our Longhorn release; we'll document the APIs in the near future but we will not be documenting the format of the registry keys. Eric -----Original Message----- From: loganalysis-bounces+ericf=microsoft.comat_private [mailto:loganalysis-bounces+ericf=microsoft.comat_private] On Behalf Of Jean-Baptiste Marchand Sent: Tuesday, September 02, 2003 8:09 AM To: loganalysisat_private Subject: [logs] [Windows Server 2003] Per-user auditing policy Hello, Windows Server 2003 is supposed to contain per-user auditing facilities. This feature might be interesting to restrict auditing of security events for certain security principals. As far as I know, the documentation describing how to setup a per-user auditing policy has not yet been published. According to the following web page, it should be in the Windows Server 2003 Resource Kit: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/proddocs/ standard/audit_peruser.asp It seems that the per-user auditing policuy is stored under the LSA registry key: Key: HKLM\SYSTEM\CCS\Control\Lsa\Audit\PerUserAuditing\ Does anybody has more information about per-user auditing? Also, it seems that the current documentation of security events related to per-user auditing is wrong. According to : http://www.microsoft.com/technet/prodtechnol/windowsserver2003/proddocs/ standard/520.asp the two following security events are related to per-user auditing : 623 Per user auditing policy was set for a user. 625 Per user audit policy was refreshed. However, the correct security events identifiers seem to be : 806 Per User Audit Policy was refreshed 807 Per user auditing policy set for user Follows an example of a 806 security event : Event Type: Success Audit Event Source: Security Event Category: Policy Change Event ID: 806 Date: xx/xx/2003 Time: xx:xx:xx User: NT AUTHORITY\SYSTEM Computer: BLAH Description: Per User Audit Policy was refreshed. Number of elements: 0 Policy ID: (0x0,0x8D58) I have no example of 807 security event, as the configuration of a per-user auditing policy is not known at this time... Jean-Baptiste Marchand -- Jean-Baptiste.Marchandat_private HSC - http://www.hsc.fr/ _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Wed Sep 10 2003 - 18:09:37 PDT