-1

I have enabled auditing on Windows Server 2012 R2 (domain controller) but liked warned, there are just way too many events being generated and it really doesnt tell me anything or just too troublesome to look thru.

The events I want to audit (success and failures) are:

  • When a PC is turned on
  • When a PC is turned off (and by who)
  • When a user logs on and on what PC
  • When a user logs off and on what PC
  • When a user reads, writes, etc. a file/folderon the file server
  • VPN related settings

I think those events are the ones that intrest me. I have no intrest in anything the user does on HIS computer just things that have to do with domain access and file server access.

How do I set this up correctly?

riahc3
  • 505
  • 5
  • 11
  • 29

1 Answers1

0

Some events are audited locally on PC itself (such as power on/off), some on server (file share access), and some on DC (account logs into domain). Not all of them are related to or recorded on DC.

You can enable auditing for local events in local group policy, or you can enable it in a domain GPO and link to OUs. Domain logon auditing can be done only on Domain Controller policies.

File access auditing has to be enabled in GPO, as well as on the shares that you want to monitor (thru SACL entries).

Your question is too broad to have a specific answer, you will have to get yourself familiar with how GPO/auditing works in Windows in general.

strongline
  • 620
  • 3
  • 10
  • I think powerons and poweroffs of domain members can be registered un the dc – riahc3 Jul 14 '15 at 12:26
  • @riahc3, supposed a member server has connection with DC at the time of power on/off, and it's gracefully off, then yes it will probably generate machine logon/logoff events, but that can't be used as a reliable of indicator of whether a member is on/off. Such event is generated in other occasions too. – strongline Jul 14 '15 at 12:45
  • I dont want a "indicator of whether a member is on/off". That is not the point. The point is to log when it turns off/on. Can someone rip the power cord off the PC and it doesnt get logged? Sure. But thats not the point. – riahc3 Jul 14 '15 at 12:49