KBI 220155 Configuring Auditing For Windows 2000 Logon Events
Version
All
Date
19 Aug 2002
Summary
This KBI article explains how to configure auditing for Windows 2000 logon events.
Technical Background
The easiest way to configure auditing on a Windows 2000 Domain Controller running Active Directory is to select “Domain Controller Security Policy” under the Administrative Tools.
Once inside this MMC, expand Security Settings >> Local Policies >> Audit Policy.
Nine audit policies can be enabled.
For each audit policy, there is an option to enable auditing for Success and/or Failure events.
Often Customers may wish to enable auditing for successful and/or failed logons.
The two main policies to enable auditing for logon events are:
- “Audit Account Logon Events”
- “Audit Logon Events”.
Here are some examples of the type of event log entries generated in the Security Log after auditing is enabled on these two policies:
Audit Policy: Audit Account Login Events Setting: Success, Failure Generated Event IDs 672, 673 for success Event ID 675 for failure Event Type: Success Audit Event Source: Security Event Category: Account Logon Event ID: 673 Date: 8/9/2002 Time: 4:08:00 PM User: NT AUTHORITY\SYSTEM Computer: AT409 Description: Service Ticket Granted: User Name: AT409$ User Domain: SDARGENT2.COM Service Name: AT409$ Service ID: SDARGENT2\AT409$ Ticket Options: 0x40810010 Ticket Encryption Type: 0x17 Client Address: 127.0.0.1 --------------------------------------------------------------------------------------------------------------- Event Type: Failure Audit Event Source: Security Event Category: Account Logon Event ID: 675 Date: 8/9/2002 Time: 4:13:53 PM User: NT AUTHORITY\SYSTEM Computer: AT409 Description: Pre-authentication failed: User Name: Administrator User ID: SDARGENT2\administrator Service Name: krbtgt/SDARGENT2 Pre-Authentication Type: 0x2 Failure Code: 24 Client Address: 127.0.0.1 --------------------------------------------------------------------------------------------------------------- Event Type: Success Audit Event Source: Security Event Category: Account Logon Event ID: 672 Date: 8/9/2002 Time: 4:14:03 PM User: NT AUTHORITY\SYSTEM Computer: AT409 Description: Authentication Ticket Granted: User Name: Administrator Supplied Realm Name: SDARGENT2 User ID: SDARGENT2\administrator Service Name: krbtgt Service ID: SDARGENT2\krbtgt Ticket Options: 0x40810010 Ticket Encryption Type: 0x17 Pre-Authentication Type: 2 Client Address: 127.0.0.1 Audit Policy: Audit Logon Events Setting: Success, Failure Generated Event IDs 528, 538, 540, 565 for Success; Event ID 529 for Failure Event Type: Success Audit Event Source: Security Event Category: Directory Service Access Event ID: 565 Date: 8/9/2002 Time: 4:28:23 PM User: SDARGENT2\administrator Computer: AT409 Description: Object Open: Object Server: DS Object Type: groupPolicyContainer Object Name: CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=sdargent2,DC=com New Handle ID: 0 Operation ID: {0,975839} Process ID: 244 Primary User Name: AT409$ Primary Domain: SDARGENT2 Primary Logon ID: (0x0,0x3E7) Client User Name: Administrator Client Domain: SDARGENT2 Client Logon ID: (0x0,0xED23C) Accesses Write Property Privileges - Properties: Write Property %{00000000-0000-0000-0000-000000000000} versionNumber --------------------------------------------------------------------------------------------------------------- Event Type: Success Audit Event Source: Security Event Category: Logon/Logoff Event ID: 540 Date: 8/9/2002 Time: 4:28:43 PM User: NT AUTHORITY\SYSTEM Computer: AT409 Description: Successful Network Logon: User Name: AT409$ Domain: SDARGENT2 Logon ID: (0x0,0xEFBD5) Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: --------------------------------------------------------------------------------------------------------------- Event Type: Success Audit Event Source: Security Event Category: Logon/Logoff Event ID: 538 Date: 8/9/2002 Time: 4:28:43 PM User: NT AUTHORITY\SYSTEM Computer: AT409 Description: User Logoff: User Name: AT409$ Domain: SDARGENT2 Logon ID: (0x0,0xEFC20) Logon Type: 3 --------------------------------------------------------------------------------------------------------------- Event Type: Success Audit Event Source: Security Event Category: Logon/Logoff Event ID: 528 Date: 8/9/2002 Time: 4:29:50 PM User: SDARGENT2\administrator Computer: AT409 Description: Successful Logon: User Name: administrator Domain: SDARGENT2 Logon ID: (0x0,0xF009A) Logon Type: 2 Logon Process: User32 Authentication Package: Negotiate Workstation Name: AT409 --------------------------------------------------------------------------------------------------------------- Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 529 Date: 8/9/2002 Time: 4:39:52 PM User: NT AUTHORITY\SYSTEM Computer: AT409 Description: Logon Failure: Reason: Unknown user name or bad password User Name: administrator Domain: SDARGENT2 Logon Type: 2 Logon Process: User32 Authentication Package: Negotiate Workstation Name: AT409
Resolution
N/A