Set up auditing on Windows Server 2012 R2: logging on, logging off, open, read, write, etc. (Sucesses and...
Which aircraft had such a luxurious-looking navigator's station?
Soft question- The Bashing Technique and Other powerful techniques for Olympiads
Finding the number of integers that are a square and a cube at the same time
Why is working on the same position for more than 15 years not a red flag?
How to acknowledge an embarrassing job interview, now that I work directly with the interviewer?
How would an AI self awareness kill switch work?
Does "sickness" have the same meaning as "vomitus"?
If I delete my router's history can my ISP still provide it to my parents?
Can the Count of Monte Cristo's calculation of poison dosage be explained?
Why is this code uniquely decodable?
Why is my solution for the partial pressures of two different gases incorrect?
Can a hotel cancel a confirmed reservation?
A Wacky, Wacky Chessboard (That Makes No Sense)
What is the difference between ashamed and shamed?
Can I retract my name from an already published manuscript?
Where was Karl Mordo in Infinity War?
Do authors have to be politically correct in article-writing?
Dilemma of explaining to interviewer that he is the reason for declining second interview
How can I mix up weapons for large groups of similar monsters/characters?
Meaning of すきっとした
Do my Windows system binaries contain sensitive information?
Why can I easily sing or whistle a tune I've just heard, but not as easily reproduce it on an instrument?
What is better: yes / no radio, or simple checkbox?
What do the pedals on grand pianos do?
Set up auditing on Windows Server 2012 R2: logging on, logging off, open, read, write, etc. (Sucesses and failures)
Auditing events 4656 and 4658 on Windows folder on Server 2008Windows Server 2008 R2 - Failed login auditingMissing Account audit events on DC'sWindows Object Access Audit vs File Properties “Accessed” Date/Timedomain controller does not show any failed logon auditFile Access Auditing on Server 2012Windows file / folder Auditing not working if member of AD domainWindows 2012 RDS Server logon causes Audit Failure 4625File system audit doesn't work for folder creation in Windows 7Auditing Logging with Windows Server 2012 R2
I have enabled auditing on Windows Server 2012 R2 (domain controller) but liked warned, there are just way too many events being generated and it really doesnt tell me anything or just too troublesome to look thru.
The events I want to audit (success and failures) are:
- When a PC is turned on
- When a PC is turned off (and by who)
- When a user logs on and on what PC
- When a user logs off and on what PC
- When a user reads, writes, etc. a file/folderon the file server
- VPN related settings
I think those events are the ones that intrest me. I have no intrest in anything the user does on HIS computer just things that have to do with domain access and file server access.
How do I set this up correctly?
windows-server-2012-r2 audit
bumped to the homepage by Community♦ 7 hours ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
I have enabled auditing on Windows Server 2012 R2 (domain controller) but liked warned, there are just way too many events being generated and it really doesnt tell me anything or just too troublesome to look thru.
The events I want to audit (success and failures) are:
- When a PC is turned on
- When a PC is turned off (and by who)
- When a user logs on and on what PC
- When a user logs off and on what PC
- When a user reads, writes, etc. a file/folderon the file server
- VPN related settings
I think those events are the ones that intrest me. I have no intrest in anything the user does on HIS computer just things that have to do with domain access and file server access.
How do I set this up correctly?
windows-server-2012-r2 audit
bumped to the homepage by Community♦ 7 hours ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
I have enabled auditing on Windows Server 2012 R2 (domain controller) but liked warned, there are just way too many events being generated and it really doesnt tell me anything or just too troublesome to look thru.
The events I want to audit (success and failures) are:
- When a PC is turned on
- When a PC is turned off (and by who)
- When a user logs on and on what PC
- When a user logs off and on what PC
- When a user reads, writes, etc. a file/folderon the file server
- VPN related settings
I think those events are the ones that intrest me. I have no intrest in anything the user does on HIS computer just things that have to do with domain access and file server access.
How do I set this up correctly?
windows-server-2012-r2 audit
I have enabled auditing on Windows Server 2012 R2 (domain controller) but liked warned, there are just way too many events being generated and it really doesnt tell me anything or just too troublesome to look thru.
The events I want to audit (success and failures) are:
- When a PC is turned on
- When a PC is turned off (and by who)
- When a user logs on and on what PC
- When a user logs off and on what PC
- When a user reads, writes, etc. a file/folderon the file server
- VPN related settings
I think those events are the ones that intrest me. I have no intrest in anything the user does on HIS computer just things that have to do with domain access and file server access.
How do I set this up correctly?
windows-server-2012-r2 audit
windows-server-2012-r2 audit
asked Jul 14 '15 at 10:43
riahc3riahc3
28341024
28341024
bumped to the homepage by Community♦ 7 hours ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
bumped to the homepage by Community♦ 7 hours ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
Some events are audited locally on PC itself (such as power on/off), some on server (file share access), and some on DC (account logs into domain). Not all of them are related to or recorded on DC.
You can enable auditing for local events in local group policy, or you can enable it in a domain GPO and link to OUs. Domain logon auditing can be done only on Domain Controller policies.
File access auditing has to be enabled in GPO, as well as on the shares that you want to monitor (thru SACL entries).
Your question is too broad to have a specific answer, you will have to get yourself familiar with how GPO/auditing works in Windows in general.
I think powerons and poweroffs of domain members can be registered un the dc
– riahc3
Jul 14 '15 at 12:26
@riahc3, supposed a member server has connection with DC at the time of power on/off, and it's gracefully off, then yes it will probably generate machine logon/logoff events, but that can't be used as a reliable of indicator of whether a member is on/off. Such event is generated in other occasions too.
– strongline
Jul 14 '15 at 12:45
I dont want a "indicator of whether a member is on/off". That is not the point. The point is to log when it turns off/on. Can someone rip the power cord off the PC and it doesnt get logged? Sure. But thats not the point.
– riahc3
Jul 14 '15 at 12:49
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f705575%2fset-up-auditing-on-windows-server-2012-r2-logging-on-logging-off-open-read%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Some events are audited locally on PC itself (such as power on/off), some on server (file share access), and some on DC (account logs into domain). Not all of them are related to or recorded on DC.
You can enable auditing for local events in local group policy, or you can enable it in a domain GPO and link to OUs. Domain logon auditing can be done only on Domain Controller policies.
File access auditing has to be enabled in GPO, as well as on the shares that you want to monitor (thru SACL entries).
Your question is too broad to have a specific answer, you will have to get yourself familiar with how GPO/auditing works in Windows in general.
I think powerons and poweroffs of domain members can be registered un the dc
– riahc3
Jul 14 '15 at 12:26
@riahc3, supposed a member server has connection with DC at the time of power on/off, and it's gracefully off, then yes it will probably generate machine logon/logoff events, but that can't be used as a reliable of indicator of whether a member is on/off. Such event is generated in other occasions too.
– strongline
Jul 14 '15 at 12:45
I dont want a "indicator of whether a member is on/off". That is not the point. The point is to log when it turns off/on. Can someone rip the power cord off the PC and it doesnt get logged? Sure. But thats not the point.
– riahc3
Jul 14 '15 at 12:49
add a comment |
Some events are audited locally on PC itself (such as power on/off), some on server (file share access), and some on DC (account logs into domain). Not all of them are related to or recorded on DC.
You can enable auditing for local events in local group policy, or you can enable it in a domain GPO and link to OUs. Domain logon auditing can be done only on Domain Controller policies.
File access auditing has to be enabled in GPO, as well as on the shares that you want to monitor (thru SACL entries).
Your question is too broad to have a specific answer, you will have to get yourself familiar with how GPO/auditing works in Windows in general.
I think powerons and poweroffs of domain members can be registered un the dc
– riahc3
Jul 14 '15 at 12:26
@riahc3, supposed a member server has connection with DC at the time of power on/off, and it's gracefully off, then yes it will probably generate machine logon/logoff events, but that can't be used as a reliable of indicator of whether a member is on/off. Such event is generated in other occasions too.
– strongline
Jul 14 '15 at 12:45
I dont want a "indicator of whether a member is on/off". That is not the point. The point is to log when it turns off/on. Can someone rip the power cord off the PC and it doesnt get logged? Sure. But thats not the point.
– riahc3
Jul 14 '15 at 12:49
add a comment |
Some events are audited locally on PC itself (such as power on/off), some on server (file share access), and some on DC (account logs into domain). Not all of them are related to or recorded on DC.
You can enable auditing for local events in local group policy, or you can enable it in a domain GPO and link to OUs. Domain logon auditing can be done only on Domain Controller policies.
File access auditing has to be enabled in GPO, as well as on the shares that you want to monitor (thru SACL entries).
Your question is too broad to have a specific answer, you will have to get yourself familiar with how GPO/auditing works in Windows in general.
Some events are audited locally on PC itself (such as power on/off), some on server (file share access), and some on DC (account logs into domain). Not all of them are related to or recorded on DC.
You can enable auditing for local events in local group policy, or you can enable it in a domain GPO and link to OUs. Domain logon auditing can be done only on Domain Controller policies.
File access auditing has to be enabled in GPO, as well as on the shares that you want to monitor (thru SACL entries).
Your question is too broad to have a specific answer, you will have to get yourself familiar with how GPO/auditing works in Windows in general.
answered Jul 14 '15 at 12:08
stronglinestrongline
55628
55628
I think powerons and poweroffs of domain members can be registered un the dc
– riahc3
Jul 14 '15 at 12:26
@riahc3, supposed a member server has connection with DC at the time of power on/off, and it's gracefully off, then yes it will probably generate machine logon/logoff events, but that can't be used as a reliable of indicator of whether a member is on/off. Such event is generated in other occasions too.
– strongline
Jul 14 '15 at 12:45
I dont want a "indicator of whether a member is on/off". That is not the point. The point is to log when it turns off/on. Can someone rip the power cord off the PC and it doesnt get logged? Sure. But thats not the point.
– riahc3
Jul 14 '15 at 12:49
add a comment |
I think powerons and poweroffs of domain members can be registered un the dc
– riahc3
Jul 14 '15 at 12:26
@riahc3, supposed a member server has connection with DC at the time of power on/off, and it's gracefully off, then yes it will probably generate machine logon/logoff events, but that can't be used as a reliable of indicator of whether a member is on/off. Such event is generated in other occasions too.
– strongline
Jul 14 '15 at 12:45
I dont want a "indicator of whether a member is on/off". That is not the point. The point is to log when it turns off/on. Can someone rip the power cord off the PC and it doesnt get logged? Sure. But thats not the point.
– riahc3
Jul 14 '15 at 12:49
I think powerons and poweroffs of domain members can be registered un the dc
– riahc3
Jul 14 '15 at 12:26
I think powerons and poweroffs of domain members can be registered un the dc
– riahc3
Jul 14 '15 at 12:26
@riahc3, supposed a member server has connection with DC at the time of power on/off, and it's gracefully off, then yes it will probably generate machine logon/logoff events, but that can't be used as a reliable of indicator of whether a member is on/off. Such event is generated in other occasions too.
– strongline
Jul 14 '15 at 12:45
@riahc3, supposed a member server has connection with DC at the time of power on/off, and it's gracefully off, then yes it will probably generate machine logon/logoff events, but that can't be used as a reliable of indicator of whether a member is on/off. Such event is generated in other occasions too.
– strongline
Jul 14 '15 at 12:45
I dont want a "indicator of whether a member is on/off". That is not the point. The point is to log when it turns off/on. Can someone rip the power cord off the PC and it doesnt get logged? Sure. But thats not the point.
– riahc3
Jul 14 '15 at 12:49
I dont want a "indicator of whether a member is on/off". That is not the point. The point is to log when it turns off/on. Can someone rip the power cord off the PC and it doesnt get logged? Sure. But thats not the point.
– riahc3
Jul 14 '15 at 12:49
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f705575%2fset-up-auditing-on-windows-server-2012-r2-logging-on-logging-off-open-read%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown