General discussion

Locked

Change Auditing Settings to just failure

By Ritarun ·
I can't seem to figure out how to change the Auditing setting in Win2000Professional to enable Auditig for specific events like logon/logoff. I can enable it but it does not let me change it to just failure. It stays at success/failure. I am a new admin so I figure it has to be just something that I am missing. Anyone help? I have been running the MS Personal Security Advisor thru Technet/MPSA and it keeps reporting that I need to change it to just "failure" and even shows screen shots.

This conversation is currently closed to new comments.

7 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Change Auditing Settings to just failure

by maxwell edison In reply to Change Auditing Settings ...

To audit files and folders, you must be logged on as a member of the Administrators group or have been granted the Manage auditing and security log right in Group Policy. You can set file and folder auditing only on drives that are formatted to use NTFS. Because the security log is limited in size, carefully select the files and folders to be audited. Also consider the amount of disk space you are willing to devote to the security log. The maximum size is defined in Event Viewer.

To set, view, change, or remove auditing for a file or folder:

Click Start , point to Programs , point to Accessories , and then click Windows Explorer . Locate the file or folder you want to audit.

Right-click the file or folder, click Properties , and then click the Security tab.

Click Advanced , and then click the Auditing tab.

Use one of the following procedures:

To set up auditing for a new group or user, click Add . Type the name of the user you in the Name box, and then click OK.

To view or change auditing for an existing group or user, click the name, and then click View/Edit.

To remove auditing for an existing group or user, click the name, click Remove, and then skip steps 5 through 7.

If necessary, in the Auditing Entry dialog box, select where you want auditing to take place in the Apply onto box. The Apply onto box is available only for folders.

Under Access, click Successfu , Failed, or both for each access you want to audit.

If you want to prevent files and subfolders within the tree from inheriting these audit entries, click to select the Apply these auditing entries check box.

NOTE: If the check boxes under Access are unavailable in the Auditing Entry dialog box, or if the Remove button is unavailable in the Access Control Settings dialog box, auditing has been inherited from the parent folder.

Good luck in your new position.

Maxwell

Collapse -

Change Auditing Settings to just failure

by maxwell edison In reply to Change Auditing Settings ...

.
.
Before Windows 2000 can audit access to files and folders, you must use the Group Policy snap-in to enable the Audit Object Access setting in the Audit policy. If you do not, you receive an error message when you set up auditing for files and folders, and no files or folders will be audited. After auditing is enabled in Group Policy, view the security log in Event Viewer to review successful or failed attempts to access the audited files and folders.

Maxwell

Collapse -

Change Auditing Settings to just failure

by maxwell edison In reply to Change Auditing Settings ...

.
.
Also see:

http://www.ntsecurity.net/Articles/Index.cfm?ArticleID=9633

(REMOVE SPACES from the pasted URL.)

Maxwell

Collapse -

Change Auditing Settings to just failure

by Ritarun In reply to Change Auditing Settings ...

Guess I was not really clear in what my problem is. I can't figure out how to make the changes in the MCC to indicate that I want Failure only (or Success and failure and so on). Here is a clip from the technet site that describes more snip<Auditing a Single Computer:
Go to Start | Programs | Administrative Tools and choose Local Security Policy. This opens an MMC (Microsoft Management Console) view to the computer's local security settings; go to Local Policies | Audit Policy to configure the audit events.

There are nine event categories you can audit, and for each one you can indicate whether to audit success, failure, or both. > Snip. My question is how do you change the effective setting criteria? There are two columns: Local Settings and Effective Settings. I can't seem to change the setting from success/failure to just failure. When the setting is not "no audit" it changes to be enable. But the effective setting portion continues to be greyed out.
Does this make sense? The reponses that were already given had lots of good suggestions and I will remember them but I still need help in changing the setting.

Collapse -

Change Auditing Settings to just failure

by Joseph Moore In reply to Change Auditing Settings ...

Ok, once you set up your Local Security Policy to the way you want it (and this includes ALL of the settings for everything, keep this in mind), you make changes to the Local Settings column.
Now, right-click on Security Settings -> Reload.

Voila!
Your security changes should now be in the Effective Settings column also.

If you want to apply this to different systems, right-click on Security Settings ->Export Policy -> Effective Settings.
Save it as your own .INF.
Take this INF to theother computers, and apply it with the Security Configuration And Analysis MMC Snap-in.

Hope this helps.

Collapse -

Change Auditing Settings to just failure

by Ritarun In reply to Change Auditing Settings ...

That's it! the Reload part!

Collapse -

Change Auditing Settings to just failure

by Ritarun In reply to Change Auditing Settings ...

This question was closed by the author

Back to Windows Forum
7 total posts (Page 1 of 1)  

Operating Systems Forums