KBI 220155 Configuring Auditing For Windows 2000 Logon Events

Version

All

Date

19 Aug 2002

Summary

This KBI article explains how to configure auditing for Windows 2000 logon events.

Technical Background

The easiest way to configure auditing on a Windows 2000 Domain Controller running Active Directory is to select “Domain Controller Security Policy” under the Administrative Tools.

Once inside this MMC, expand Security Settings >> Local Policies >> Audit Policy.

Nine audit policies can be enabled.

For each audit policy, there is an option to enable auditing for Success and/or Failure events.

Often Customers may wish to enable auditing for successful and/or failed logons.

The two main policies to enable auditing for logon events are:

  1. “Audit Account Logon Events”

  2. “Audit Logon Events”.

Here are some examples of the type of event log entries generated in the Security Log after auditing is enabled on these two policies:




Audit Policy: Audit Account Login Events

Setting: Success, Failure

Generated Event IDs 672, 673 for success

Event ID 675 for failure

Event Type: Success Audit

Event Source: Security

Event Category: Account Logon

Event ID: 673

Date: 8/9/2002

Time: 4:08:00 PM

User: NT AUTHORITY\SYSTEM

Computer: AT409

Description:

Service Ticket Granted:

User Name: AT409$

User Domain: SDARGENT2.COM

Service Name: AT409$

Service ID: SDARGENT2\AT409$

Ticket Options: 0x40810010

Ticket Encryption Type: 0x17

Client Address: 127.0.0.1

---------------------------------------------------------------------------------------------------------------

Event Type: Failure Audit

Event Source: Security

Event Category: Account Logon

Event ID: 675

Date: 8/9/2002

Time: 4:13:53 PM

User: NT AUTHORITY\SYSTEM

Computer: AT409

Description:

Pre-authentication failed:

User Name: Administrator

User ID: SDARGENT2\administrator

Service Name: krbtgt/SDARGENT2

Pre-Authentication Type: 0x2

Failure Code: 24

Client Address: 127.0.0.1

---------------------------------------------------------------------------------------------------------------

Event Type: Success Audit

Event Source: Security

Event Category: Account Logon

Event ID: 672

Date: 8/9/2002

Time: 4:14:03 PM

User: NT AUTHORITY\SYSTEM

Computer: AT409

Description:

Authentication Ticket Granted:

User Name: Administrator

Supplied Realm Name: SDARGENT2

User ID: SDARGENT2\administrator

Service Name: krbtgt

Service ID: SDARGENT2\krbtgt

Ticket Options: 0x40810010

Ticket Encryption Type: 0x17

Pre-Authentication Type: 2

Client Address: 127.0.0.1

Audit Policy: Audit Logon Events

Setting: Success, Failure

Generated Event IDs 528, 538, 540, 565 for Success; Event ID 529 for Failure

Event Type: Success Audit

Event Source: Security

Event Category: Directory Service Access

Event ID: 565

Date: 8/9/2002

Time: 4:28:23 PM

User: SDARGENT2\administrator

Computer: AT409

Description:

Object Open:

Object Server: DS

Object Type: groupPolicyContainer

Object Name: CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=sdargent2,DC=com

New Handle ID: 0

Operation ID: {0,975839}

Process ID: 244

Primary User Name: AT409$

Primary Domain: SDARGENT2

Primary Logon ID: (0x0,0x3E7)

Client User Name: Administrator

Client Domain: SDARGENT2

Client Logon ID: (0x0,0xED23C)

Accesses Write Property

Privileges -

Properties:

Write Property

%{00000000-0000-0000-0000-000000000000}

versionNumber

---------------------------------------------------------------------------------------------------------------

Event Type: Success Audit

Event Source: Security

Event Category: Logon/Logoff

Event ID: 540

Date: 8/9/2002

Time: 4:28:43 PM

User: NT AUTHORITY\SYSTEM

Computer: AT409

Description:

Successful Network Logon:

User Name: AT409$

Domain: SDARGENT2

Logon ID: (0x0,0xEFBD5)

Logon Type: 3

Logon Process: Kerberos

Authentication Package: Kerberos

Workstation Name:

---------------------------------------------------------------------------------------------------------------

Event Type: Success Audit

Event Source: Security

Event Category: Logon/Logoff

Event ID: 538

Date: 8/9/2002

Time: 4:28:43 PM

User: NT AUTHORITY\SYSTEM

Computer: AT409

Description:

User Logoff:

User Name: AT409$

Domain: SDARGENT2

Logon ID: (0x0,0xEFC20)

Logon Type: 3

---------------------------------------------------------------------------------------------------------------

Event Type: Success Audit

Event Source: Security

Event Category: Logon/Logoff

Event ID: 528

Date: 8/9/2002

Time: 4:29:50 PM

User: SDARGENT2\administrator

Computer: AT409

Description:

Successful Logon:

User Name: administrator

Domain: SDARGENT2

Logon ID: (0x0,0xF009A)

Logon Type: 2

Logon Process: User32

Authentication Package: Negotiate

Workstation Name: AT409

---------------------------------------------------------------------------------------------------------------

Event Type: Failure Audit

Event Source: Security

Event Category: Logon/Logoff

Event ID: 529

Date: 8/9/2002

Time: 4:39:52 PM

User: NT AUTHORITY\SYSTEM

Computer: AT409

Description:

Logon Failure:

Reason: Unknown user name or bad password

User Name: administrator

Domain: SDARGENT2

Logon Type: 2

Logon Process: User32

Authentication Package: Negotiate

Workstation Name: AT409

Resolution

N/A