Jump to content

Help, Im at my wits end trying to turn on XP auditing...

fly

By fly
in Unattended Windows 2000/XP/2003

 Share

Recommended Posts

fly

fly

Posted
Posted (edited)

I have a problem. I need to turn on XPs auditing features, but don't have an AD network. How can I do that?

I've taken a registry snapshot, turned on the auditing settings, then took another snapshot and found nothing.

Can anyone help me get these turned on?

edit: I didn't make this obvious, but I'm trying to script via .reg files or vbscript...

Edited by fly
Link to comment
Share on other sites

RogueSpear

RogueSpear

Posted
Posted

You need to enable Auditing in the local machine policy first. In order to enable auditing on a local machine, go to Start Menu/Run, type in gpedit.msc. This should give you the Local Computer Policy. Expand Windows Settings, then Security Setting, then Local Policies, and finally click on Audit Policy. Select the kind of auditing you want to enable for all of the audit types.

Next you need to enable auditing for a particular resource, like a file, folder, or registry key.

For example, right click on a file and select Properties. Then click on the Security tab, then click on the Advanced button, and finally on the Auditing tab. Now you need to add users/groups and actions for which you want audited on that resource. Example: Add the user Everyone and select the action "Read". This will tell you if someone accessed the file in the Security Event Log.

Be careful in what you set to audit. If you select an entire subdirectory and audit success and failure of every possible action, you'll slow your machine to a crawl and generate tens of megabytes of log information. And in the end that means you're less likely to find what you're looking for. It usually takes a little time and experience to get the hang of how to fine tune your auditing, but the payoff is huge. I've documented and confirmed many bugs in software this way, proving an error in code or some other issue.

Good luck!

Link to comment
Share on other sites
fly

fly

Posted
  • Author
Posted

I want to enable logging of all success and all failures, but I need to be able to script this. I'm rolling out 400 machines this year and can't enable it on all of them.

Thanks for your quick reply!

Link to comment
Share on other sites
RogueSpear

RogueSpear

Posted
Posted

You're rolling out 400 machines that are in a workgroup and not a domain? Well best of luck to you there. On the bright side of things, auditing is fully scriptable, in VBscript anyway, so if you've got any experience there it shouldn't be too difficult. If you don't have scripting experience, this is probably not too bad of a project to start with as it should be relatively simple.

Link to comment
Share on other sites
fly

fly

Posted
  • Author
Posted
You're rolling out 400 machines that are in a workgroup and not a domain? Well best of luck to you there. On the bright side of things, auditing is fully scriptable, in VBscript anyway, so if you've got any experience there it shouldn't be too difficult. If you don't have scripting experience, this is probably not too bad of a project to start with as it should be relatively simple.

Sadly, they are in an NT4 domain. I'm okay at scripting, but am unable to find any info on how to turn on auditing. Got any links?

Link to comment
Share on other sites
RogueSpear

RogueSpear

Posted
Posted

I had to go and open my mouth. Recently I was researching scripting "Quotas" with VBscript and for some reason "Auditing" rang a bell in my head :blink: My mistake. But I felt like I should at least try to lead you in the right path after that last post I made promising the sun and more. Amazingly I can't find a single thing. Now I'm guessing that there is a way to do what it is that you want to do, but since it is so easily achieved using Active Directory, nobody has bothered to write about it. Here is another theory I have - the way it would be done is to tap into LDAP/ADSI using VBscript which may not be a feasible way to script this in an NT4 environment (that is non Active Directory).

I did some fairly comprehensive searches in the Windows IT Magazine VIP CD, Microsoft's TechNet and MSDN sites, and ExpertExchange. The only hits that are even moderately related seem to be scripting Microsoft MOM for auditing based on events.

Link to comment
Share on other sites
fly

fly

Posted
  • Author
Posted (edited)

Anyone able to convert some vb.net code to vbscript? (looks the same to me, but I don't know a thing about vb.net)

I found the following code in this usenet post

' --- CodeSnip: Begin
Dim mngScopeRSOP As New ManagementScope( "\\[SERVER]\root\rsop\computer" )
	mngScopeRSOP.Options.Impersonation	  = ImpersonationLevel.Impersonate 'Default
	mngScopeRSOP.Options.Username		   = "[USER]"
	mngScopeRSOP.Options.Password		   = "[PWD]"
	mngScopeRSOP.Options.EnablePrivileges   = True
	mngScopeRSOP.Connect()

Dim putOptions As New PutOptions
	putOptions.Type = PutType.UpdateOnly
	putOptions.UseAmendedQualifiers = True

	Dim moAuditPolicy As New ManagementObject _
		( _
		  mngScopeRSOP , _
		  New ManagementPath( "RSOP_AuditPolicy.Category='AuditSystemEvents',precedence=1" ) , _
		  Nothing _
		 )
		moAuditPolicy.Properties( "Failure" ).Value = True

		Try
			moAuditPolicy.Put( putOptions )
		Catch exAuditPut As Exception
			' --- Error occurd
		End Try

' --- CodeSnip: End

If someone can make this work, I'd be willing to paypal ya some $$. Thanks!

Edited by fly
Link to comment
Share on other sites
jcarle

jcarle

Posted
Posted

This may be of some help (oddly, but possibly).

http://www.networksecurityarchive.org/html...9/msg00107.html

http://www.codecomments.com/archive299-2005-9-613300.html

I'm well versed in VBScript, VB 6 and C#, but I have zero experience with Auditing and Active Directory, though I am familiar with the principals behind NTFS file permissions and security.

Link to comment
Share on other sites
Rico.JohnnY

Rico.JohnnY

Posted
Posted

Use secedit.exe for that purpose, i have managed to do that. Just type "secedit" in run to see the usage. If you are currentlly using windows XP with SP2, please apply the KB897327 hotfix.(detail described in http://support.microsoft.com/kb/897327). Note you must contact Microsoft Product Support Services to obtain the hotfix, or you can get it from the "Unofficial Windows XP Service Pack 3",which can be downloaded from http://www.softpedia.com/get/System/OS-Enh...3-Preview.shtml.

Link to comment
Share on other sites
fly

fly

Posted
  • Author
Posted
Use secedit.exe for that purpose, i have managed to do that. Just type "secedit" in run to see the usage. If you are currentlly using windows XP with SP2, please apply the KB897327 hotfix.(detail described in http://support.microsoft.com/kb/897327). Note you must contact Microsoft Product Support Services to obtain the hotfix, or you can get it from the "Unofficial Windows XP Service Pack 3",which can be downloaded from http://www.softpedia.com/get/System/OS-Enh...3-Preview.shtml.

omg sweet! Thanks!!!

Link to comment
Share on other sites
  • 2 weeks later...
alan_huxford

alan_huxford

Posted
Posted

Hi - yes I have found that its a lot more difficult to do turn on auditing from a script then you would think

1) get ADsSecurity.dll from http://download.microsoft.com/msdownload/a.../x86/en/Sdk.zip

2 ) place it in \winnt\system32 or \windows\system32 and activate by typing REGSVR32.EXE ADsSecurity.DLL

3) copy/ paste the ad.vbs file from http://www.serverwatch.com/tutorials/article.php/1476741 and he has some instructions about how to use it. unfortunatly he says he will write an artical about auditing from scripts but I have not found it yet - but this program is at least capible of doing it, he says.

three parts

http://www.serverwatch.com/tutorials/article.php/1476721

http://www.serverwatch.com/tutorials/article.php/1476741

http://www.serverwatch.com/tutorials/article.php/1476751

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...