|
Posted by =?Utf-8?B?TWlrZQ==?= on March 8, 2006, 7:07 pm
If you were Registered and logged in, you could reply and use other advanced thread options
DC's are interactive, terminal services and unlock events for the domain
controllers only. There are no 528 events being logged for the workstations.
Through GPO, I've enabled "audit account logon events" and "audit logon
events" at the "default domain controller" policy and the "default domain"
policy.
I see 540's, 538's, and Kerberos events but no 528's for the workstations in
the domain.
I've verified this on two separate forests. One is production, one is pure
testing but both are Server 2003 w/SP1 and up-to-date patches. All of my
clients are XP SP2, up-to-date as well.
The production domain was a legacy upgrade from our initial Windows 2000 AD
deployment 6 years ago. The upgrade process was done using the docs so the
pre-req preps were done.
The test domain is a fresh 2k3 install, no legacy.
Both domains do exactly the same thing. Am I missing something?
The reason I am interested in 528 Type: 2 is because we'd like to compile
interactive login stats over time. Is there a better way of doing this?
Mike
PC Network Specialist
School of Architecture/Telecom
New Jersey Institute of Technology
"Andy1974" wrote:
> I am trying to see workstation interactive logins in the Windows 2003 DC
> event viewer but am not seeing the events. I am seeing Remoteinteractive as
> well as interactive directly into the Domain Controller itself. However
> workstation computers that are a member of the domain are not registering
> event 528 or 539 type 2's in the event viewer. I have Domain Security
> Settings for Audit account logon to Success and Audit logon events to
> success. I have Domain Controller Settings to audit account logon to Success
> and Failure and Audit Logon to Success and Failure. I am running Windows
> 2003 Small Business Server.
| 
XML site map