Hello:
I have 2 DCs. One of them is Windows server 2008 (this is the FSMO role Master for the 5 roles) the second is Windows server 2003 R2. Security log events such as account management are logging on the 2003 DC but not on the 2008 DC. i know the logs have not reached max size/date. The logs are set to overwrite as needed. But then why will one server record the events and not the other?
Any help/ideas?
Thanks,
Miller-IT
Server 2008 Security Log Not Logging Events
February 23rd, 2010 4:24pm
Hi,
It is normal that the User Account Management events logged on only one DC. The User Account Management event will log only on the DC where the operation was performed.
Please logon the Windows Server 2008 DC, open Active Directory Users and Computers console, right-click DomainName in the console, click Change Domain Controller, ensure that the “Current Directory Server” is the Windows Server 2008 DC, and then click OK. After that, please disable a testing user account to check if an User Account Management event is logged on the DC.
Thanks.
Free Windows Admin Tool Kit Click here and download it now
February 24th, 2010 6:29am
Hi Joson:
I have tried that. It shows the current DC is the 2008 server. but nothing is recording? It should record it instantly, correct? (I did wait 30 min to see if it was time delayed)
the last time anything recorded on this server is in the security log is 2/9/2010, over two weeks ago. I would think any security log should have logged in that time, especially logons and logoffs, and account lock outs. though those are being recorded on the 2003 server.
Let me know.
Thanks,
I have tried that. It shows the current DC is the 2008 server. but nothing is recording? It should record it instantly, correct? (I did wait 30 min to see if it was time delayed)
the last time anything recorded on this server is in the security log is 2/9/2010, over two weeks ago. I would think any security log should have logged in that time, especially logons and logoffs, and account lock outs. though those are being recorded on the 2003 server.
Let me know.
Thanks,
February 24th, 2010 3:05pm
Hi Joson:
I was looking into our group policy for our DC and this is what I found, maybe you can shed some light on the differences on these.
1. Audit account logon events Setting is set to: No Auditing
2. Audit account management Setting is set to: Success, Failure
3. Audit logon events Setting is set to: Failure
This information was obtained by using the RSOP.MSC command
But it still is strange that NOTHING has been logged on the 2008 server since 2/9/2010
I was looking into our group policy for our DC and this is what I found, maybe you can shed some light on the differences on these.
1. Audit account logon events Setting is set to: No Auditing
2. Audit account management Setting is set to: Success, Failure
3. Audit logon events Setting is set to: Failure
This information was obtained by using the RSOP.MSC command
But it still is strange that NOTHING has been logged on the 2008 server since 2/9/2010
Free Windows Admin Tool Kit Click here and download it now
February 24th, 2010 3:30pm
Hi,
The audit setting looks fine. Based on the current situation, I suggest that you clear the security event log on the Windows Server 2008 DC and check the result.
Thanks.
February 25th, 2010 3:19am
Hello:
I cleared the log and it logged event ID 1102 - Log Clear. then i disabled and account and still nothing shows in the log.
The reason I need this to work is so that i can have the server send me and email every time an account is created, disabled, removed/deleted, and/or etc... for auditing purposes.
Thanks,
I cleared the log and it logged event ID 1102 - Log Clear. then i disabled and account and still nothing shows in the log.
The reason I need this to work is so that i can have the server send me and email every time an account is created, disabled, removed/deleted, and/or etc... for auditing purposes.
Thanks,
Free Windows Admin Tool Kit Click here and download it now
February 25th, 2010 10:43pm
Hi,
Is there any auditing event logged on the Windows Server 2003 DC when you disabled the user account on Windows Server 2008 DC?
Meanwhile, please help collect the following information on the Windows Server 2008 DC for further research:
1. Please run the command wevtutil gl security on the Dc and export the output to a file.
2. Please collect MPSReport on the DC:
1) Download the executable file from the following URL
http://download.microsoft.com/download/b/b/1/bb139fcb-4aac-4fe5-a579-30b0bd915706/MPSRPT_DirSvc.EXE
2) Run the file on the computer.
c. After the tool finishes gathering the information, copy the cab file from the following folder:
C:\WINDOWS\MPSReports\DirSvc\cab
After that, please upload the files to the following space:
https://sftasia.one.microsoft.com/choosetransfer.aspx?key=3016e996-ae0f-43c8-8525-a60a6be3c270
Password: uvkGI^{Ur@oagaA
Thanks.
March 1st, 2010 8:19am
Server 2008 conveniently uses different Event ID's to those that 2003 uses for Account Management.
Are you looking for the new event id numbers on the 2008 server?
Are you looking for the new event id numbers on the 2008 server?
4720 - A user account was created.
4722 - A user account was enabled.
4723 - An attempt was made to change an account's password.
4724 - An attempt was made to reset an account's password.
4725 - A user account was disabled.
4726 - A user account was deleted.
4738 - A user account was changed.
4740 - A user account was locked out
Free Windows Admin Tool Kit Click here and download it now
March 1st, 2010 2:00pm
Yes, I was able to determine that the server 2008 does use different event ID.
That was actually my first issue that i had to over come.
Thanks though. :)
Miller-IT
That was actually my first issue that i had to over come.
Thanks though. :)
Miller-IT
March 1st, 2010 3:39pm
Hi Joson:
No, there was no log event on the 2003 DC.
I have uploaded the wevtutil command results. the File name is "wevtutil_results.txt"
I did run the MPSReports program, but there is no folder at that location "C:\WINDOWS\MPSReports\DirSvc\cab".
However, there is a location "C:\WINDOWS\MPSReports\DirSvc\logs\cab", but that location is empty.
what would the name of the file be so i can do a search for it?
Miller-IT
No, there was no log event on the 2003 DC.
I have uploaded the wevtutil command results. the File name is "wevtutil_results.txt"
I did run the MPSReports program, but there is no folder at that location "C:\WINDOWS\MPSReports\DirSvc\cab".
However, there is a location "C:\WINDOWS\MPSReports\DirSvc\logs\cab", but that location is empty.
what would the name of the file be so i can do a search for it?
Miller-IT
Free Windows Admin Tool Kit Click here and download it now
March 1st, 2010 4:00pm
Hi Miller,
There should be a lot of files generated in the "C:\WINDOWS\MPSReports\DirSvc\logs\" folder. Please zip the logs folder and upload to space.
Meanwhile, please also let me know the ACL of the %SystemRoot%\System32\Winevt\Logs\security.evtx.
Thanks.
There should be a lot of files generated in the "C:\WINDOWS\MPSReports\DirSvc\logs\" folder. Please zip the logs folder and upload to space.
Meanwhile, please also let me know the ACL of the %SystemRoot%\System32\Winevt\Logs\security.evtx.
Thanks.
March 2nd, 2010 3:10am
Hi Miller,
Please also confirm if you've ever set the audit policy by using the auditpol command.
Please run auditpol /get /category:"account management" on the Windows Server 2008 domain controller and let me know the result.
Please also confirm if you've ever set the audit policy by using the auditpol command.
Please run auditpol /get /category:"account management" on the Windows Server 2008 domain controller and let me know the result.
Free Windows Admin Tool Kit Click here and download it now
March 2nd, 2010 3:17am
Hi Joson:
I have never run the auditpol command. I did run this time as you asked. The results are: All six (6) listed categories show "success and failure"
I have uploaded the zip file. The name of the file is "ICBDC1_Directory Service.zip"
The ACL for that file is: all people/groups have "Full Control" checked
SYSTEM
Administrator (Domain\Administrators)
EventLog
Thanks,
Miller -IT
I have never run the auditpol command. I did run this time as you asked. The results are: All six (6) listed categories show "success and failure"
I have uploaded the zip file. The name of the file is "ICBDC1_Directory Service.zip"
The ACL for that file is: all people/groups have "Full Control" checked
SYSTEM
Administrator (Domain\Administrators)
EventLog
Thanks,
Miller -IT
March 2nd, 2010 2:34pm
Hi Miller,
From the gpresult, I found that you remove the Local Service and Network Service from the Generate security audits security setting.
The security setting determines which accounts can be used by a process to add entries to the security log, and the Local Service and Network Service are added to the setting by default on DC. I suspect that it may be the cause of the issue. Please add the entries back to the security setting and check the result.
Note: You may need to restart the DC for the change to take effect.
From the gpresult, I found that you remove the Local Service and Network Service from the Generate security audits security setting.
The security setting determines which accounts can be used by a process to add entries to the security log, and the Local Service and Network Service are added to the setting by default on DC. I suspect that it may be the cause of the issue. Please add the entries back to the security setting and check the result.
Note: You may need to restart the DC for the change to take effect.
Free Windows Admin Tool Kit Click here and download it now
March 3rd, 2010 7:02am
Hi Joson:
I made the change and will find a time in the next day or two to see when I can have the server rebooted.
I will let you know the results. So far it is not working, I will try the reboot to see if that makes it work.
Thanks,
Miller-IT
I made the change and will find a time in the next day or two to see when I can have the server rebooted.
I will let you know the results. So far it is not working, I will try the reboot to see if that makes it work.
Thanks,
Miller-IT
March 3rd, 2010 5:17pm
Hi,
Thanks for you update.
Meanwhile, please check if there is an entry named CustomSD at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\ on the DC.
Thanks.
Thanks for you update.
Meanwhile, please check if there is an entry named CustomSD at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\ on the DC.
Thanks.
Free Windows Admin Tool Kit Click here and download it now
March 4th, 2010 8:14am
Hi,
Nope, there is not.
We are planning on rebooting tonight. At the time of this writing it is 9:05am Central Stand Time (GMT -6)
Thanks
Miller-IT
Nope, there is not.
We are planning on rebooting tonight. At the time of this writing it is 9:05am Central Stand Time (GMT -6)
Thanks
Miller-IT
March 4th, 2010 3:08pm
Hi Joson:
It seems to be working now after beeing rebooted. The log repopulated with events that had happened since 2/9/2010, which is when it stopped. It must have remembered everything even though it wasn't populating the security event log.
I will keep looking at it and let you know how it works out.
Thanks.
Miller-IT
- Marked as answer by Miller-IT Monday, March 15, 2010 2:28 PM
Free Windows Admin Tool Kit Click here and download it now
March 5th, 2010 12:21am
Hi Miller,
Glad to hear that the solution works. I will wait for your update.
Thanks.
March 5th, 2010 1:55am
Hi Miller,
Any update on the issue? Thanks.
Any update on the issue? Thanks.
Free Windows Admin Tool Kit Click here and download it now
March 9th, 2010 5:43am
Hi Joson:
I'm sorry for not getting back to you sooner. I was on vacation and out of the country.
After letting the server work for a week, while I was on vacation, it seems to be logging correctly.
Again, thank you for your help in this.
Miller-IT
I'm sorry for not getting back to you sooner. I was on vacation and out of the country.
After letting the server work for a week, while I was on vacation, it seems to be logging correctly.
Again, thank you for your help in this.
Miller-IT
March 15th, 2010 2:28pm
Great. Thanks for your update.
Free Windows Admin Tool Kit Click here and download it now
March 16th, 2010 1:20am
Hi All,
i have the same issue with my 2008 server.
I have run the auditpol /get /category:"account management" and getting the result below :-
From the server which having issue
C:\Users\SCSADM11>auditpol /get /category:"account management"
System audit policy
Category/Subcategory Setting
Account Management
Computer Account Management No Auditing
Security Group Management No Auditing
Distribution Group Management No Auditing
Application Group Management No Auditing
Other Account Management Events No Auditing
User Account Management No Auditing
For the other server which don't have any issue with security logs
C:\Users\scsadm11>auditpol /get /category:"account management"
System audit policy
Category/Subcategory Setting
Account Management
Computer Account Management Success and Failure
Security Group Management Success and Failure
Distribution Group Management Success and Failure
Application Group Management Success and Failure
Other Account Management Events Success and Failure
Do you all have any ideas on this?
Thanks
July 28th, 2015 11:18pm
This is the event log that i found on the security log of the server :-
Log Name: Security
Source: Microsoft-Windows-Eventlog
Date: 5/14/2014 7:10:11 PM
Event ID: 1100
Task Category: Service shutdown
Level: Information
Keywords: Audit Success
User: N/A
Computer: BPABPAP1.income.org.sg
Free Windows Admin Tool Kit Click here and download it now
July 28th, 2015 11:19pm
This topic is archived. No further replies will be accepted.
Other recent topics
