Get answers to your security-related Win2K questions

\[Editor's Note: Do you have a security-related question about Windows 2000? Send it to rsmith@montereytechgroup.com, and you might see the answer in this column!\]

I've turned on auditing of success and failure for both Audit logon events and Audit account logon events in the Default Domain Policy Group Policy Object (GPO) linked to my domain's root. To test the policy, I tried to log on with an invalid password. My Windows 2000 Professional workstation's Security log showed the failed logon attempts, but my domain controller's (DC's) Security log didn't. I thought that enabling Audit account logon events would let me track these events centrally on my DC so that I wouldn't have to check each workstation's Security log. What am I doing wrong?

You can control the audit policy on computers in your domain using GPOs. (To reach the Default Domain Policy GPO, open the Microsoft Management Console—MMC—Active Directory Users and Computers snap-in, select your domain's root, right-click, select Properties, then click the Group Policy tab.) In addition to Default Domain Policy, another GPO—Default Domain Controllers Policy—is linked to the DC's organizational unit (OU). These policies are the only two GPOs that Win2K automatically creates. Default Domain Controllers Policy has a predefined audit policy that explicitly disables auditing, but you can modify the policy. Win2K automatically places DCs in the DC OU. When a computer applies GPOs, it applies them from the domain root down to the OU that contains the computer. When two or more GPOs specify conflicting values for the same policy, the last GPO applied wins. Therefore the audit policy in Default Domain Controllers Policy is overriding the audit policy in Default Domain Policy.

To start auditing account logon events, you can either enable auditing for this category in Default Domain Controllers Policy or switch the policy to not defined, in which case Default Domain Policy will be the only GPO specifying an audit policy.

The difference between Audit logon events and Audit account logon events is where Win2K tracks and records the logon events. Audit logon events tracks and records events at the workstation, whereas Audit account logon events tracks and records events centrally at your DC. (Audit account logon events also shows the low-level Kerberos logon details.) For more information, see my Windows 2000 Magazine article "Audit Account Logon Events" (March 2001)