fly Posted January 11, 2006 Share Posted January 11, 2006 (edited) I have a problem. I need to turn on XPs auditing features, but don't have an AD network. How can I do that?I've taken a registry snapshot, turned on the auditing settings, then took another snapshot and found nothing.Can anyone help me get these turned on?edit: I didn't make this obvious, but I'm trying to script via .reg files or vbscript... Edited January 11, 2006 by fly Link to comment Share on other sites More sharing options...
RogueSpear Posted January 11, 2006 Share Posted January 11, 2006 You need to enable Auditing in the local machine policy first. In order to enable auditing on a local machine, go to Start Menu/Run, type in gpedit.msc. This should give you the Local Computer Policy. Expand Windows Settings, then Security Setting, then Local Policies, and finally click on Audit Policy. Select the kind of auditing you want to enable for all of the audit types.Next you need to enable auditing for a particular resource, like a file, folder, or registry key.For example, right click on a file and select Properties. Then click on the Security tab, then click on the Advanced button, and finally on the Auditing tab. Now you need to add users/groups and actions for which you want audited on that resource. Example: Add the user Everyone and select the action "Read". This will tell you if someone accessed the file in the Security Event Log.Be careful in what you set to audit. If you select an entire subdirectory and audit success and failure of every possible action, you'll slow your machine to a crawl and generate tens of megabytes of log information. And in the end that means you're less likely to find what you're looking for. It usually takes a little time and experience to get the hang of how to fine tune your auditing, but the payoff is huge. I've documented and confirmed many bugs in software this way, proving an error in code or some other issue.Good luck! Link to comment Share on other sites More sharing options...
fly Posted January 11, 2006 Author Share Posted January 11, 2006 I want to enable logging of all success and all failures, but I need to be able to script this. I'm rolling out 400 machines this year and can't enable it on all of them.Thanks for your quick reply! Link to comment Share on other sites More sharing options...
RogueSpear Posted January 11, 2006 Share Posted January 11, 2006 You're rolling out 400 machines that are in a workgroup and not a domain? Well best of luck to you there. On the bright side of things, auditing is fully scriptable, in VBscript anyway, so if you've got any experience there it shouldn't be too difficult. If you don't have scripting experience, this is probably not too bad of a project to start with as it should be relatively simple. Link to comment Share on other sites More sharing options...
fly Posted January 11, 2006 Author Share Posted January 11, 2006 You're rolling out 400 machines that are in a workgroup and not a domain? Well best of luck to you there. On the bright side of things, auditing is fully scriptable, in VBscript anyway, so if you've got any experience there it shouldn't be too difficult. If you don't have scripting experience, this is probably not too bad of a project to start with as it should be relatively simple.Sadly, they are in an NT4 domain. I'm okay at scripting, but am unable to find any info on how to turn on auditing. Got any links? Link to comment Share on other sites More sharing options...
RogueSpear Posted January 11, 2006 Share Posted January 11, 2006 I had to go and open my mouth. Recently I was researching scripting "Quotas" with VBscript and for some reason "Auditing" rang a bell in my head My mistake. But I felt like I should at least try to lead you in the right path after that last post I made promising the sun and more. Amazingly I can't find a single thing. Now I'm guessing that there is a way to do what it is that you want to do, but since it is so easily achieved using Active Directory, nobody has bothered to write about it. Here is another theory I have - the way it would be done is to tap into LDAP/ADSI using VBscript which may not be a feasible way to script this in an NT4 environment (that is non Active Directory).I did some fairly comprehensive searches in the Windows IT Magazine VIP CD, Microsoft's TechNet and MSDN sites, and ExpertExchange. The only hits that are even moderately related seem to be scripting Microsoft MOM for auditing based on events. Link to comment Share on other sites More sharing options...
fly Posted January 11, 2006 Author Share Posted January 11, 2006 Thank you for even looking. It is appreciated. I did manage to find a way to check audit policy with WMI, so I may be getting there... Link to comment Share on other sites More sharing options...
fly Posted January 12, 2006 Author Share Posted January 12, 2006 (edited) Anyone able to convert some vb.net code to vbscript? (looks the same to me, but I don't know a thing about vb.net)I found the following code in this usenet post' --- CodeSnip: BeginDim mngScopeRSOP As New ManagementScope( "\\[SERVER]\root\rsop\computer" ) mngScopeRSOP.Options.Impersonation = ImpersonationLevel.Impersonate 'Default mngScopeRSOP.Options.Username = "[USER]" mngScopeRSOP.Options.Password = "[PWD]" mngScopeRSOP.Options.EnablePrivileges = True mngScopeRSOP.Connect()Dim putOptions As New PutOptions putOptions.Type = PutType.UpdateOnly putOptions.UseAmendedQualifiers = True Dim moAuditPolicy As New ManagementObject _ ( _ mngScopeRSOP , _ New ManagementPath( "RSOP_AuditPolicy.Category='AuditSystemEvents',precedence=1" ) , _ Nothing _ ) moAuditPolicy.Properties( "Failure" ).Value = True Try moAuditPolicy.Put( putOptions ) Catch exAuditPut As Exception ' --- Error occurd End Try' --- CodeSnip: EndIf someone can make this work, I'd be willing to paypal ya some $$. Thanks! Edited January 12, 2006 by fly Link to comment Share on other sites More sharing options...
fly Posted January 13, 2006 Author Share Posted January 13, 2006 Link to comment Share on other sites More sharing options...
jcarle Posted January 14, 2006 Share Posted January 14, 2006 This may be of some help (oddly, but possibly).http://www.networksecurityarchive.org/html...9/msg00107.htmlhttp://www.codecomments.com/archive299-2005-9-613300.htmlI'm well versed in VBScript, VB 6 and C#, but I have zero experience with Auditing and Active Directory, though I am familiar with the principals behind NTFS file permissions and security. Link to comment Share on other sites More sharing options...
Rico.JohnnY Posted January 14, 2006 Share Posted January 14, 2006 Use secedit.exe for that purpose, i have managed to do that. Just type "secedit" in run to see the usage. If you are currentlly using windows XP with SP2, please apply the KB897327 hotfix.(detail described in http://support.microsoft.com/kb/897327). Note you must contact Microsoft Product Support Services to obtain the hotfix, or you can get it from the "Unofficial Windows XP Service Pack 3",which can be downloaded from http://www.softpedia.com/get/System/OS-Enh...3-Preview.shtml. Link to comment Share on other sites More sharing options...
fly Posted January 17, 2006 Author Share Posted January 17, 2006 Use secedit.exe for that purpose, i have managed to do that. Just type "secedit" in run to see the usage. If you are currentlly using windows XP with SP2, please apply the KB897327 hotfix.(detail described in http://support.microsoft.com/kb/897327). Note you must contact Microsoft Product Support Services to obtain the hotfix, or you can get it from the "Unofficial Windows XP Service Pack 3",which can be downloaded from http://www.softpedia.com/get/System/OS-Enh...3-Preview.shtml.omg sweet! Thanks!!! Link to comment Share on other sites More sharing options...
RogueSpear Posted January 17, 2006 Share Posted January 17, 2006 Wow, talk about a nice little bit of info there. Thanks from me too Link to comment Share on other sites More sharing options...
alan_huxford Posted January 30, 2006 Share Posted January 30, 2006 Hi - yes I have found that its a lot more difficult to do turn on auditing from a script then you would think1) get ADsSecurity.dll from http://download.microsoft.com/msdownload/a.../x86/en/Sdk.zip2 ) place it in \winnt\system32 or \windows\system32 and activate by typing REGSVR32.EXE ADsSecurity.DLL3) copy/ paste the ad.vbs file from http://www.serverwatch.com/tutorials/article.php/1476741 and he has some instructions about how to use it. unfortunatly he says he will write an artical about auditing from scripts but I have not found it yet - but this program is at least capible of doing it, he says.three partshttp://www.serverwatch.com/tutorials/article.php/1476721http://www.serverwatch.com/tutorials/article.php/1476741http://www.serverwatch.com/tutorials/article.php/1476751 Link to comment Share on other sites More sharing options...
RogueSpear Posted January 31, 2006 Share Posted January 31, 2006 Wow, those are excellent articles. I'm going to get a ton of use out of those Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now