Set up auditing on Windows Server 2012 R2: logging on, logging off, open, read, write, etc. (Sucesses and...

Which aircraft had such a luxurious-looking navigator's station?

Soft question- The Bashing Technique and Other powerful techniques for Olympiads

Finding the number of integers that are a square and a cube at the same time

Why is working on the same position for more than 15 years not a red flag?

How to acknowledge an embarrassing job interview, now that I work directly with the interviewer?

How would an AI self awareness kill switch work?

Does "sickness" have the same meaning as "vomitus"?

If I delete my router's history can my ISP still provide it to my parents?

Can the Count of Monte Cristo's calculation of poison dosage be explained?

Why is this code uniquely decodable?

Why is my solution for the partial pressures of two different gases incorrect?

Can a hotel cancel a confirmed reservation?

A Wacky, Wacky Chessboard (That Makes No Sense)

What is the difference between ashamed and shamed?

Can I retract my name from an already published manuscript?

Where was Karl Mordo in Infinity War?

Do authors have to be politically correct in article-writing?

Dilemma of explaining to interviewer that he is the reason for declining second interview

How can I mix up weapons for large groups of similar monsters/characters?

Meaning of すきっとした

Do my Windows system binaries contain sensitive information?

Why can I easily sing or whistle a tune I've just heard, but not as easily reproduce it on an instrument?

What is better: yes / no radio, or simple checkbox?

What do the pedals on grand pianos do?



Set up auditing on Windows Server 2012 R2: logging on, logging off, open, read, write, etc. (Sucesses and failures)


Auditing events 4656 and 4658 on Windows folder on Server 2008Windows Server 2008 R2 - Failed login auditingMissing Account audit events on DC'sWindows Object Access Audit vs File Properties “Accessed” Date/Timedomain controller does not show any failed logon auditFile Access Auditing on Server 2012Windows file / folder Auditing not working if member of AD domainWindows 2012 RDS Server logon causes Audit Failure 4625File system audit doesn't work for folder creation in Windows 7Auditing Logging with Windows Server 2012 R2













0















I have enabled auditing on Windows Server 2012 R2 (domain controller) but liked warned, there are just way too many events being generated and it really doesnt tell me anything or just too troublesome to look thru.



The events I want to audit (success and failures) are:




  • When a PC is turned on

  • When a PC is turned off (and by who)

  • When a user logs on and on what PC

  • When a user logs off and on what PC

  • When a user reads, writes, etc. a file/folderon the file server

  • VPN related settings


I think those events are the ones that intrest me. I have no intrest in anything the user does on HIS computer just things that have to do with domain access and file server access.



How do I set this up correctly?










share|improve this question














bumped to the homepage by Community 7 hours ago


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.




















    0















    I have enabled auditing on Windows Server 2012 R2 (domain controller) but liked warned, there are just way too many events being generated and it really doesnt tell me anything or just too troublesome to look thru.



    The events I want to audit (success and failures) are:




    • When a PC is turned on

    • When a PC is turned off (and by who)

    • When a user logs on and on what PC

    • When a user logs off and on what PC

    • When a user reads, writes, etc. a file/folderon the file server

    • VPN related settings


    I think those events are the ones that intrest me. I have no intrest in anything the user does on HIS computer just things that have to do with domain access and file server access.



    How do I set this up correctly?










    share|improve this question














    bumped to the homepage by Community 7 hours ago


    This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.


















      0












      0








      0








      I have enabled auditing on Windows Server 2012 R2 (domain controller) but liked warned, there are just way too many events being generated and it really doesnt tell me anything or just too troublesome to look thru.



      The events I want to audit (success and failures) are:




      • When a PC is turned on

      • When a PC is turned off (and by who)

      • When a user logs on and on what PC

      • When a user logs off and on what PC

      • When a user reads, writes, etc. a file/folderon the file server

      • VPN related settings


      I think those events are the ones that intrest me. I have no intrest in anything the user does on HIS computer just things that have to do with domain access and file server access.



      How do I set this up correctly?










      share|improve this question














      I have enabled auditing on Windows Server 2012 R2 (domain controller) but liked warned, there are just way too many events being generated and it really doesnt tell me anything or just too troublesome to look thru.



      The events I want to audit (success and failures) are:




      • When a PC is turned on

      • When a PC is turned off (and by who)

      • When a user logs on and on what PC

      • When a user logs off and on what PC

      • When a user reads, writes, etc. a file/folderon the file server

      • VPN related settings


      I think those events are the ones that intrest me. I have no intrest in anything the user does on HIS computer just things that have to do with domain access and file server access.



      How do I set this up correctly?







      windows-server-2012-r2 audit






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Jul 14 '15 at 10:43









      riahc3riahc3

      28341024




      28341024





      bumped to the homepage by Community 7 hours ago


      This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.







      bumped to the homepage by Community 7 hours ago


      This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
























          1 Answer
          1






          active

          oldest

          votes


















          0














          Some events are audited locally on PC itself (such as power on/off), some on server (file share access), and some on DC (account logs into domain). Not all of them are related to or recorded on DC.



          You can enable auditing for local events in local group policy, or you can enable it in a domain GPO and link to OUs. Domain logon auditing can be done only on Domain Controller policies.



          File access auditing has to be enabled in GPO, as well as on the shares that you want to monitor (thru SACL entries).



          Your question is too broad to have a specific answer, you will have to get yourself familiar with how GPO/auditing works in Windows in general.






          share|improve this answer
























          • I think powerons and poweroffs of domain members can be registered un the dc

            – riahc3
            Jul 14 '15 at 12:26











          • @riahc3, supposed a member server has connection with DC at the time of power on/off, and it's gracefully off, then yes it will probably generate machine logon/logoff events, but that can't be used as a reliable of indicator of whether a member is on/off. Such event is generated in other occasions too.

            – strongline
            Jul 14 '15 at 12:45











          • I dont want a "indicator of whether a member is on/off". That is not the point. The point is to log when it turns off/on. Can someone rip the power cord off the PC and it doesnt get logged? Sure. But thats not the point.

            – riahc3
            Jul 14 '15 at 12:49











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "2"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f705575%2fset-up-auditing-on-windows-server-2012-r2-logging-on-logging-off-open-read%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          0














          Some events are audited locally on PC itself (such as power on/off), some on server (file share access), and some on DC (account logs into domain). Not all of them are related to or recorded on DC.



          You can enable auditing for local events in local group policy, or you can enable it in a domain GPO and link to OUs. Domain logon auditing can be done only on Domain Controller policies.



          File access auditing has to be enabled in GPO, as well as on the shares that you want to monitor (thru SACL entries).



          Your question is too broad to have a specific answer, you will have to get yourself familiar with how GPO/auditing works in Windows in general.






          share|improve this answer
























          • I think powerons and poweroffs of domain members can be registered un the dc

            – riahc3
            Jul 14 '15 at 12:26











          • @riahc3, supposed a member server has connection with DC at the time of power on/off, and it's gracefully off, then yes it will probably generate machine logon/logoff events, but that can't be used as a reliable of indicator of whether a member is on/off. Such event is generated in other occasions too.

            – strongline
            Jul 14 '15 at 12:45











          • I dont want a "indicator of whether a member is on/off". That is not the point. The point is to log when it turns off/on. Can someone rip the power cord off the PC and it doesnt get logged? Sure. But thats not the point.

            – riahc3
            Jul 14 '15 at 12:49
















          0














          Some events are audited locally on PC itself (such as power on/off), some on server (file share access), and some on DC (account logs into domain). Not all of them are related to or recorded on DC.



          You can enable auditing for local events in local group policy, or you can enable it in a domain GPO and link to OUs. Domain logon auditing can be done only on Domain Controller policies.



          File access auditing has to be enabled in GPO, as well as on the shares that you want to monitor (thru SACL entries).



          Your question is too broad to have a specific answer, you will have to get yourself familiar with how GPO/auditing works in Windows in general.






          share|improve this answer
























          • I think powerons and poweroffs of domain members can be registered un the dc

            – riahc3
            Jul 14 '15 at 12:26











          • @riahc3, supposed a member server has connection with DC at the time of power on/off, and it's gracefully off, then yes it will probably generate machine logon/logoff events, but that can't be used as a reliable of indicator of whether a member is on/off. Such event is generated in other occasions too.

            – strongline
            Jul 14 '15 at 12:45











          • I dont want a "indicator of whether a member is on/off". That is not the point. The point is to log when it turns off/on. Can someone rip the power cord off the PC and it doesnt get logged? Sure. But thats not the point.

            – riahc3
            Jul 14 '15 at 12:49














          0












          0








          0







          Some events are audited locally on PC itself (such as power on/off), some on server (file share access), and some on DC (account logs into domain). Not all of them are related to or recorded on DC.



          You can enable auditing for local events in local group policy, or you can enable it in a domain GPO and link to OUs. Domain logon auditing can be done only on Domain Controller policies.



          File access auditing has to be enabled in GPO, as well as on the shares that you want to monitor (thru SACL entries).



          Your question is too broad to have a specific answer, you will have to get yourself familiar with how GPO/auditing works in Windows in general.






          share|improve this answer













          Some events are audited locally on PC itself (such as power on/off), some on server (file share access), and some on DC (account logs into domain). Not all of them are related to or recorded on DC.



          You can enable auditing for local events in local group policy, or you can enable it in a domain GPO and link to OUs. Domain logon auditing can be done only on Domain Controller policies.



          File access auditing has to be enabled in GPO, as well as on the shares that you want to monitor (thru SACL entries).



          Your question is too broad to have a specific answer, you will have to get yourself familiar with how GPO/auditing works in Windows in general.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Jul 14 '15 at 12:08









          stronglinestrongline

          55628




          55628













          • I think powerons and poweroffs of domain members can be registered un the dc

            – riahc3
            Jul 14 '15 at 12:26











          • @riahc3, supposed a member server has connection with DC at the time of power on/off, and it's gracefully off, then yes it will probably generate machine logon/logoff events, but that can't be used as a reliable of indicator of whether a member is on/off. Such event is generated in other occasions too.

            – strongline
            Jul 14 '15 at 12:45











          • I dont want a "indicator of whether a member is on/off". That is not the point. The point is to log when it turns off/on. Can someone rip the power cord off the PC and it doesnt get logged? Sure. But thats not the point.

            – riahc3
            Jul 14 '15 at 12:49



















          • I think powerons and poweroffs of domain members can be registered un the dc

            – riahc3
            Jul 14 '15 at 12:26











          • @riahc3, supposed a member server has connection with DC at the time of power on/off, and it's gracefully off, then yes it will probably generate machine logon/logoff events, but that can't be used as a reliable of indicator of whether a member is on/off. Such event is generated in other occasions too.

            – strongline
            Jul 14 '15 at 12:45











          • I dont want a "indicator of whether a member is on/off". That is not the point. The point is to log when it turns off/on. Can someone rip the power cord off the PC and it doesnt get logged? Sure. But thats not the point.

            – riahc3
            Jul 14 '15 at 12:49

















          I think powerons and poweroffs of domain members can be registered un the dc

          – riahc3
          Jul 14 '15 at 12:26





          I think powerons and poweroffs of domain members can be registered un the dc

          – riahc3
          Jul 14 '15 at 12:26













          @riahc3, supposed a member server has connection with DC at the time of power on/off, and it's gracefully off, then yes it will probably generate machine logon/logoff events, but that can't be used as a reliable of indicator of whether a member is on/off. Such event is generated in other occasions too.

          – strongline
          Jul 14 '15 at 12:45





          @riahc3, supposed a member server has connection with DC at the time of power on/off, and it's gracefully off, then yes it will probably generate machine logon/logoff events, but that can't be used as a reliable of indicator of whether a member is on/off. Such event is generated in other occasions too.

          – strongline
          Jul 14 '15 at 12:45













          I dont want a "indicator of whether a member is on/off". That is not the point. The point is to log when it turns off/on. Can someone rip the power cord off the PC and it doesnt get logged? Sure. But thats not the point.

          – riahc3
          Jul 14 '15 at 12:49





          I dont want a "indicator of whether a member is on/off". That is not the point. The point is to log when it turns off/on. Can someone rip the power cord off the PC and it doesnt get logged? Sure. But thats not the point.

          – riahc3
          Jul 14 '15 at 12:49


















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Server Fault!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f705575%2fset-up-auditing-on-windows-server-2012-r2-logging-on-logging-off-open-read%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Фонтен-ла-Гаярд Зміст Демографія | Економіка | Посилання |...

          Список ссавців Італії Природоохоронні статуси | Список |...

          Маріан Котлеба Зміст Життєпис | Політичні погляди |...