Guest Dan DeCoursey Posted August 20, 2008 Posted August 20, 2008 Hello , Is the security event log just refelcting login/logout auiting on the local PC? I went into a computer here and I see both succes and failure notices and all the failures are from people that dont use this computer(starts to make me think someone is hacking) ...... where does this secuirty auidting get setup ?? locally or via GP?
Guest Twayne Posted August 20, 2008 Posted August 20, 2008 Re: EVENT LOG - Security > Hello , > > Is the security event log just refelcting login/logout auiting on the > local PC? I went into a computer here and I see both succes and > failure notices and all the failures are from people that dont use > this computer(starts to make me think someone is hacking) ...... > where does this secuirty auidting get setup ?? locally or via GP? What are some of the names with the auidit failures? Things can glitch that prevent legit system signons from working until something else finishes; look later in the logs and see if the failure is followed by a success, too. System failures often are; outside attacks of course, never. More detail needed. Be specific.
Guest Dan DeCoursey Posted August 21, 2008 Posted August 21, 2008 Re: EVENT LOG - Security I as I stated...these are login failures I am working on Sue's computer she is in Accounting and in her security event log there are many many login failures listed.....so somewhere auditing is "turned on" and it appears that both success and failures are being logged into her security event log In her local security policy auditing is enabled for "success" and even if I am the admiistrator on this machine I cant change this policy setting...I can enable/disable other settings but this one is grayed out I go to Active directory and verfiy that Sue and her Computer are both in an OU I call "EXCULSION ZONE " this OU has no GP applied to it I use this OU when working on a user/computer problem.....so in AD there is no GP applied to her or her computer at the OU level In Sue's Security log message details are: user = SYSTEM Login account = some other completly unrelated user (from the planning department) Workstation = this other users workstation ID over in planning dept all these failure notices are being tagged to many various users in the planning department this is whats confusing........it is like these other users ( co incidence is all these "other users" are in the same department (planning) in our domain) who have problems loggin in are being audited and their failures are being listed in this Sue's event log Hope this is the level of detial needed "Twayne" wrote: > > Hello , > > > > Is the security event log just refelcting login/logout auiting on the > > local PC? I went into a computer here and I see both succes and > > failure notices and all the failures are from people that dont use > > this computer(starts to make me think someone is hacking) ...... > > where does this secuirty auidting get setup ?? locally or via GP? > > What are some of the names with the auidit failures? Things can glitch > that prevent legit system signons from working until something else > finishes; look later in the logs and see if the failure is followed by a > success, too. System failures often are; outside attacks of course, > never. > > More detail needed. Be specific. > > >
Recommended Posts