In tip 1915, we determined the Windows NT 4.0 Audit Policy.
Windows 2000 stores the Audit Policy at:
HKEY_LOCAL_MACHINE\Security\Policy\PolAdtEv
Administrators do no have access to this key, but the SYSTEM account does.
Use the Task Scheduler, running in the SYSTEM context, tip 3215, to export the Audit Policy settings to a <Folder_Path>\FileName.reg file:
AT \[\\ComputerName\] HH:MM CMD /c "regedit /a <Folder_Path\FileName.reg> HKEY_LOCAL_MACHINE\Security\Policy\Poladtev"
The <Folder_Path\FileName.reg> file contains an entry similar to:
\[HKEY_LOCAL_MACHINE\Security\Policy\Poladtev\] @=hex(0):ZZ,ii,ii,00,AA,00,00,00,BB,00,00,00,CC,00,00,00,DD,00,00,00,EE,00,00, 00,FF,00,00,00,GG,00,00,00,HH,00,00,00,II,00,00,00,ii,00,00,00
where:
ii Ignore these values. ZZ 01 indicates auditing is enabled, 00 means disabled. AA Audit System Events BB Audit Logon Events CC Audit Object Access DD Audit Privilege Use EE Audit Process Tracking FF Audit Policy Change GG Audit Account Management HH Audit Directory Service Access II Audit Account Logon Events If the value of the AA / II letter is 01, success auditing is enabled. If the value of the AA / II letter is 02, failure auditing is enabled. If the value of the AA / II letter is 03, success and failure auditing is enabled.
0 comments
Hide comments
