Hi, we are using Eventsentry here to monitor all of our servers, we recently added in a new Server 2008 DC to be our "main" domanin controller and for some reason we are not receiving any alerts for changes made to user accounts on this particular DC. For example on all of our 2003 DC's if I add a new group to a user or remove one I get an email alert that I made the change. The 2008 DC is not sending any of these emails. I was able to successfully map over to the 2008 DC's admin share, push out the client and send an update to that machine but still no emails. This DC is part of our default DC group policy so it should have auditing turned on but if I look at it's local security policy "audit logon events" is not configured even though is should be configured via group policy, I can't make any changes to the local policy because it is greyed out.
Any ideas?
HI Josh,
If you could open the EventSentry management console, and go to your Event Log Packages > Compliance and expand Group Management. If you look at the filter 'Distribution Group Member Added', under Event Source, do you see 'Microsoft-Windows-Security-Auditing along with 'Security'? Also, under Event ID, do you see 4746, 4751, or 4761?
If you don't see any of those then it appears that the packages don't contain the correct information for 2008 systems. You can update this by going to Tools > Download Latest Packages..' and this will update your packages for you.
Under 'Distribution Group Member Added' I only have Security listed under Event Source, the drop down menu doesn't even have 'Microsoft-Windows-Security-Auditing' as an available option. I do however see Event ID 4746,4751 and 4761. I downloaded the newest packages and sent an updated config to the AD controller in question but it still does not send the alerts.
Steven - Yes I do see the 1035 event showing the packages installed on the DC
Ingmar - When I look at the DC's Local Security Policy it is telling me auditing is not configured, when I try to change that it is greyed out saying the setting is controlled by group policy. I checked the group policy setting and auditing is set to be configured. It is just the 2008 DC that is having this problem.
Any thoughts?
Also if I run rsop.msc on the DC it does show the correct audit settings (ie account logon events are set to report) but I still do not get any alerts from that 2008 machine when I make user account changes on it.
OK, thanks.
A couple of question. Which OS are the other DCs? Is it a 2003 domain overall, with just one 2008 DC?
We'd still need to know whether the events themselves are being generated when you make user changes, can you verify that? EventSentry can't report on events that aren't there, so before we troubleshoot ES, I'd like to make sure the security events are generated.
If they are not, then we'd be happy to help with your audit setup.
Yes you are correct, all 2003 DC's except for the one 2008. Yes I can see the account changes in the Security log on the 2008 DC so it looks like the event is there but not being reported on.
Thanks for all your help so far.
Would it be possible for you to send us a copy of your configuration with the name of your 2008 box? You can do this by exporting the config from the management console by going to File > Export. Just zip up the .reg file and send that to support@netikus.net and reference this forum post; will take a look at that here to see what we can see.
Because the config has so much information on our environment, other servers, and it is too large to really scrub we aren't comfortable sending along the config file. Are there other avenues we can try? Maybe a webex session?
Thank you. This week is very hectic but I will call in soon for that webex session.
It looks like you're new here. If you want to get involved, click one of these buttons!