General discussion

Locked

AD Auditing of Logon Events

By GL ·
I am having problems getting filtering to work with auditing logons on a 2000 server. I can enable auditing in the default domain GPO and that works...tons of entries in the security log in Event Viewer.

I would, however, like to filter the policy so only certain people's logins are tracked. I tried setting up a GPO in an OU and that didn't work (logins for users in that OU did not appear in the security log).

I then tried filtering using security groups. I created a new GPO at the domain level to contain the auditing policy which tracks successes and failures. Then I removed authenticated users from the ACL for the GPO and added my security group, giving the group Read and Apply Policy permissions. When I do all that, I get no entries at all in Event Viewer even after refreshing the policy with secedit. An article on Microsoft's site seemed to suggest that you can not filter with domain local groups so I tried a global group and still had no luck.

I made sure that the logon auditing policy is not defined for all other GPOs including the DC OU, so only the GPO I created at the domain level should be affecting this.

Any ideas or suggestions would be appreciated.

This conversation is currently closed to new comments.

0 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Back to Software Forum
0 total posts (Page 1 of 1)  

Related Discussions

Related Forums