Ryfujk

Which aircraft had such a luxurious-looking navigator's station?

Soft question- The Bashing Technique and Other powerful techniques for Olympiads

Finding the number of integers that are a square and a cube at the same time

Why is working on the same position for more than 15 years not a red flag?

How to acknowledge an embarrassing job interview, now that I work directly with the interviewer?

How would an AI self awareness kill switch work?

Does "sickness" have the same meaning as "vomitus"?

If I delete my router's history can my ISP still provide it to my parents?

Can the Count of Monte Cristo's calculation of poison dosage be explained?

Why is this code uniquely decodable?

Why is my solution for the partial pressures of two different gases incorrect?

Can a hotel cancel a confirmed reservation?

A Wacky, Wacky Chessboard (That Makes No Sense)

What is the difference between ashamed and shamed?

Can I retract my name from an already published manuscript?

Where was Karl Mordo in Infinity War?

Do authors have to be politically correct in article-writing?

Dilemma of explaining to interviewer that he is the reason for declining second interview

How can I mix up weapons for large groups of similar monsters/characters?

Meaning of すきっとした

Do my Windows system binaries contain sensitive information?

Why can I easily sing or whistle a tune I've just heard, but not as easily reproduce it on an instrument?

What is better: yes / no radio, or simple checkbox?

What do the pedals on grand pianos do?

Set up auditing on Windows Server 2012 R2: logging on, logging off, open, read, write, etc. (Sucesses and failures)

Auditing events 4656 and 4658 on Windows folder on Server 2008Windows Server 2008 R2 - Failed login auditingMissing Account audit events on DC'sWindows Object Access Audit vs File Properties “Accessed” Date/Timedomain controller does not show any failed logon auditFile Access Auditing on Server 2012Windows file / folder Auditing not working if member of AD domainWindows 2012 RDS Server logon causes Audit Failure 4625File system audit doesn't work for folder creation in Windows 7Auditing Logging with Windows Server 2012 R2

0

I have enabled auditing on Windows Server 2012 R2 (domain controller) but liked warned, there are just way too many events being generated and it really doesnt tell me anything or just too troublesome to look thru.

The events I want to audit (success and failures) are:

• When a PC is turned on


• When a PC is turned off (and by who)


• When a user logs on and on what PC


• When a user logs off and on what PC


• When a user reads, writes, etc. a file/folderon the file server


• VPN related settings

I think those events are the ones that intrest me. I have no intrest in anything the user does on HIS computer just things that have to do with domain access and file server access.

How do I set this up correctly?

windows-server-2012-r2 audit

share|improve this question

asked Jul 14 '15 at 10:43

riahc3riahc3

28341024

bumped to the homepage by Community♦ 7 hours ago

This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.

add a comment | 

0

I have enabled auditing on Windows Server 2012 R2 (domain controller) but liked warned, there are just way too many events being generated and it really doesnt tell me anything or just too troublesome to look thru.

The events I want to audit (success and failures) are:

• When a PC is turned on


• When a PC is turned off (and by who)


• When a user logs on and on what PC


• When a user logs off and on what PC


• When a user reads, writes, etc. a file/folderon the file server


• VPN related settings

I think those events are the ones that intrest me. I have no intrest in anything the user does on HIS computer just things that have to do with domain access and file server access.

How do I set this up correctly?

windows-server-2012-r2 audit

share|improve this question

asked Jul 14 '15 at 10:43

riahc3riahc3

28341024

bumped to the homepage by Community♦ 7 hours ago

This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.

add a comment | 

I have enabled auditing on Windows Server 2012 R2 (domain controller) but liked warned, there are just way too many events being generated and it really doesnt tell me anything or just too troublesome to look thru.

The events I want to audit (success and failures) are:

• When a PC is turned on


• When a PC is turned off (and by who)


• When a user logs on and on what PC


• When a user logs off and on what PC


• When a user reads, writes, etc. a file/folderon the file server


• VPN related settings

I think those events are the ones that intrest me. I have no intrest in anything the user does on HIS computer just things that have to do with domain access and file server access.

How do I set this up correctly?

windows-server-2012-r2 audit

share|improve this question

asked Jul 14 '15 at 10:43

riahc3riahc3

28341024

share|improve this question

asked Jul 14 '15 at 10:43

riahc3riahc3

28341024

share|improve this question

asked Jul 14 '15 at 10:43

riahc3riahc3

28341024

asked Jul 14 '15 at 10:43

riahc3riahc3

28341024

asked Jul 14 '15 at 10:43

riahc3riahc3

28341024

1 Answer
1

active

oldest

votes

0

Some events are audited locally on PC itself (such as power on/off), some on server (file share access), and some on DC (account logs into domain). Not all of them are related to or recorded on DC.

You can enable auditing for local events in local group policy, or you can enable it in a domain GPO and link to OUs. Domain logon auditing can be done only on Domain Controller policies.

File access auditing has to be enabled in GPO, as well as on the shares that you want to monitor (thru SACL entries).

Your question is too broad to have a specific answer, you will have to get yourself familiar with how GPO/auditing works in Windows in general.

share|improve this answer

answered Jul 14 '15 at 12:08

stronglinestrongline

55628

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I think powerons and poweroffs of domain members can be registered un the dc
  
  – riahc3
  Jul 14 '15 at 12:26
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @riahc3, supposed a member server has connection with DC at the time of power on/off, and it's gracefully off, then yes it will probably generate machine logon/logoff events, but that can't be used as a reliable of indicator of whether a member is on/off. Such event is generated in other occasions too.
  
  – strongline
  Jul 14 '15 at 12:45
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I dont want a "indicator of whether a member is on/off". That is not the point. The point is to log when it turns off/on. Can someone rip the power cord off the PC and it doesnt get logged? Sure. But thats not the point.
  
  – riahc3
  Jul 14 '15 at 12:49
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f705575%2fset-up-auditing-on-windows-server-2012-r2-logging-on-logging-off-open-read%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

0

Some events are audited locally on PC itself (such as power on/off), some on server (file share access), and some on DC (account logs into domain). Not all of them are related to or recorded on DC.

You can enable auditing for local events in local group policy, or you can enable it in a domain GPO and link to OUs. Domain logon auditing can be done only on Domain Controller policies.

File access auditing has to be enabled in GPO, as well as on the shares that you want to monitor (thru SACL entries).

Your question is too broad to have a specific answer, you will have to get yourself familiar with how GPO/auditing works in Windows in general.

share|improve this answer

answered Jul 14 '15 at 12:08

stronglinestrongline

55628

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I think powerons and poweroffs of domain members can be registered un the dc
  
  – riahc3
  Jul 14 '15 at 12:26
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @riahc3, supposed a member server has connection with DC at the time of power on/off, and it's gracefully off, then yes it will probably generate machine logon/logoff events, but that can't be used as a reliable of indicator of whether a member is on/off. Such event is generated in other occasions too.
  
  – strongline
  Jul 14 '15 at 12:45
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I dont want a "indicator of whether a member is on/off". That is not the point. The point is to log when it turns off/on. Can someone rip the power cord off the PC and it doesnt get logged? Sure. But thats not the point.
  
  – riahc3
  Jul 14 '15 at 12:49
  

  
  
  
  

add a comment | 

0

Some events are audited locally on PC itself (such as power on/off), some on server (file share access), and some on DC (account logs into domain). Not all of them are related to or recorded on DC.

You can enable auditing for local events in local group policy, or you can enable it in a domain GPO and link to OUs. Domain logon auditing can be done only on Domain Controller policies.

File access auditing has to be enabled in GPO, as well as on the shares that you want to monitor (thru SACL entries).

Your question is too broad to have a specific answer, you will have to get yourself familiar with how GPO/auditing works in Windows in general.

share|improve this answer

answered Jul 14 '15 at 12:08

stronglinestrongline

55628

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I think powerons and poweroffs of domain members can be registered un the dc
  
  – riahc3
  Jul 14 '15 at 12:26
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @riahc3, supposed a member server has connection with DC at the time of power on/off, and it's gracefully off, then yes it will probably generate machine logon/logoff events, but that can't be used as a reliable of indicator of whether a member is on/off. Such event is generated in other occasions too.
  
  – strongline
  Jul 14 '15 at 12:45
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I dont want a "indicator of whether a member is on/off". That is not the point. The point is to log when it turns off/on. Can someone rip the power cord off the PC and it doesnt get logged? Sure. But thats not the point.
  
  – riahc3
  Jul 14 '15 at 12:49
  

  
  
  
  

add a comment | 

Some events are audited locally on PC itself (such as power on/off), some on server (file share access), and some on DC (account logs into domain). Not all of them are related to or recorded on DC.

You can enable auditing for local events in local group policy, or you can enable it in a domain GPO and link to OUs. Domain logon auditing can be done only on Domain Controller policies.

File access auditing has to be enabled in GPO, as well as on the shares that you want to monitor (thru SACL entries).

Your question is too broad to have a specific answer, you will have to get yourself familiar with how GPO/auditing works in Windows in general.

share|improve this answer

answered Jul 14 '15 at 12:08

stronglinestrongline

55628

share|improve this answer

answered Jul 14 '15 at 12:08

stronglinestrongline

55628

answered Jul 14 '15 at 12:08

stronglinestrongline

55628

answered Jul 14 '15 at 12:08

stronglinestrongline

55628