I am running Windows server 2008 and need to know how I can monitor/audit all the logon activity. I also need to know how to monitor/audit any changes to active directory. I have searched the event viewer for invalid logon attempts (i purposely tried a wrong password) and was not able to see it on the log. Am I doing something wrong?

You need to enable auditing. http://technet.microsoft.com/en-us/magazine/2008.03.auditing.aspx Here is the procedure: http://support.microsoft.com/kb/814595 http://support.microsoft.com/default.aspx/kb/921469?p=1 Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX http://blogs.sivarajan.com/ http://publications.sivarajan.com/ This posting is provided "AS IS" with no warranties, and confers no rights.

Hi there... I have the same question: How do I find out if my fascist network admin maliciously restricted my local user access from admin to standard user? So little background. This network admin guy is a sore-eyed fellow and came to remove one of my three monitors quoting that the company policy is 2 monitors when I was not around. My boss made him put it back yesterday. Today, I went into work and my programs all stopped working and I found out I've been downgraded from local admin to user. I guess this may have been inherited from general group security policies or it may be the network admin messing around with me. How can I tell for sure? The drama that unfolds in the email exchange is listed below. I'm person X and he is person Y. ================================================================================================ Person X I am very sure I had administrative rights on my local machine up till yesterday and I am suddenly not an administrator or power user anymore. Did you anyone in IT have anything to do with this? Person Y I checked with everyone on my staff and even called one of my field technicians who is off today. No one has done anything to your PC. Group policies are applied to all PCs that are on the domain during login. Use of Group Policy is standard practice in any wide scale deployment of PCs. This is how PCs are managed. Group policies apply security controls like screensaver lockouts, windows security updates, java security updates, etc. I did review your PC and I saw that you did not have Admin level access on your PC. I reassigned local admin level access to your ID . You’ll probably have to reboot in order for the changes to take effect. It is possible that the group policies may be removing your admin access but I don’t think that is the case. We have not made any changes to group policies in months and I can see from the log you provided that the group policies have been applied four times since you started here in September. ================================================================================================ I copied my windows back up from before (yesterday) and also made a ghost of today's current computer state (before I re-login). Also, I exported the entire registry of my local machine. Someone please help me out. Thanks, J