To gather the proper information from the security event logs, the information must first be audited. You need to modify the Default Domain Controllers Policy to enable auditing.
NOTE: If you have not installed the Active Administrator® console, you also can use the Active Directory® Users and Computers MMC snap-in. |
2 |
Select Group Policy | Group Policy Objects. |
3 |
4 |
Expand Computer Configuration | Windows Settings | Security Settings | Local Policies, and select Audit Policy. |
6 |
Close the Group Policy window. |
7 |
At the command prompt, type gpupdate /force. |
1 |
Select Auditing & Alerting | Agents. |
2 |
Click Install. |
3 |
Click Next. |
5 |
If necessary, click Find Domain Controllers. |
• |
To select all listed domain controllers, click Select all. |
• |
To clear all the check boxes, click Clear all. |
7 |
Click Next. |
IMPORTANT: When installing the audit agent on a member server instead of a domain controller, the following inbound firewall exceptions for Windows® Management Instrumentation must be enabled:
|
Start collecting events immediately after installation of the agent |
|
By default, Active Administrator monitors the status of the audit agent. |
9 |
Click Next. |
10 |
In the Run as box, type an account with domain administrator rights, or browse to locate an account, and enter the password. |
11 |
To verify the account, click Test Audit Agent Account. |
12 |
Click Next. |
14 |
Click Next. |
15 |
Click Finish. |
NOTE: By default, the audit agent is activated upon installation. To change the default setting, select Configuration | Agent Installation Settings.
You can view details about the install in the AuditAgentInstall*.log file, which is located here: Program Files\Quest\Active Administrator\Server\Logging. |
A wizard guides you through creating a new Active Administrator® alert. Alerts provide you the opportunity to combine different conditions into one alert that is sent to specified email recipients. You also can add a filter to the alert to further isolate audit events for the recipient.
1 |
Select Auditing & Alerting | Alerts. |
2 |
Click New. |
3 |
6 |
Click Next. |
• |
To add a new email address, click Add and type the email address. |
8 |
Click Next. |
• |
To filter the list, type text in the Filter box. The list changes as you type characters. The definitions displayed contain the characters you type. For example, if you type com, the definitions displayed may contain the words Completed or Computer. |
• |
• |
10 |
Click Next. |
a |
Click Add to add a new alert filter. |
b |
d |
By default the filter conditions are combined using the OR operator. If you want to connect with the AND operator, select AND all conditions. |
12 |
Click Next. |
a |
Click Add to add a new quiet time. |
b |
Select Enabled. To disable a quiet time, clear the check box. |
c |
Select All Days or specify a specific day. |
14 |
Click Next. |
a |
Click Add to add a new threshold. |
b |
Select Enabled. To disable a threshold, clear the check box. |
19 |
Click Next. |
a |
Select Enabled. To disable an action, clear the check box. |
e |
Click OK. |
16 |
Click Next. |
18 |
Click Finish. |
With workstation logon auditing, you can audit user logon and logoff events including lock and unlock. Enabling the default port adds these workstation events to the event definitions:
© 2024 Quest Software Inc. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center