Spat's WebLog (Steve Patrick)

When things go wrong...

2003 SP1 - "new" feature... Per User Auditing

2003 SP1 - "new" feature... Per User Auditing

  • Comments 4

Ill post a few blogs on some new SP1 items which arent detailed in http://www.microsoft.com/technet/prodtechnol/windowsserver2003/servicepack/overview.mspx

 

There is a "new" feature in 2003 SP1 for Per User Auditing. It’s not really new, it’s been in there since RTM but there was no real easy way to get at it via a GUI to configure it. There is now a command line tool called auditusr.exe.

 

Auditusr.exe was included in XPSp2 as well but no one really documented it.

 

It modifies the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System with the specified SID and REG_BINARY mask representing the inclusion \ exclusion.

 

A few ground rules:

 

Administrator can be included but not excluded.

Built in and Security groups can't be included\excluded

If a user is in both the included and excluded group it is included.

 

 

Sample use:

 

C:\WINDOWS\system32>auditusr.exe /es  SpatsDomain\User1:"Object Access"

 

You set the following categories:

 

System Event

Logon/Logoff

Object Access

Privilege Use

Detailed Tracking

Policy Change

Account Management

Directory Service Access

Account Logon

 

You can dump out the current settings via the /e switch

 

Auditusr 1.0

SPATSDOMAIN\User1:exclude:success:Object Access

SPATSDOMAIN\User2:exclude:failure:Object Access

SPATSDOMAIN\Test2:exclude:success:Object Access

 

 

Check  auditusr.exe /? For more info.

 

PS: Since we edit the LSA keys I have found a reboot to be necessary to enforce the new settiungs. I am sure that Eric Fitzgerald can correct me if I am wrong on any points here.

 

Spat

 

Leave a Comment
  • Please add 6 and 2 and type the answer here:
  • Post
  • The POSIX subsystem (from the Microsoft product Windows services for unix, version 3.5) seems to crash when SP1 is installed. <br> <br>I should probably report this through proper channel, but just happened to read your blog first :-) <br> <br>
  • Thanks for the information. It would be nice if Microsoft would provide a little more info on these hidden tools.
  • You mean more info on this specific tool or more info on obscure tools which dont seem to have documentation any where?

    spat
  • Sure it is documented!!!!

    Security Monitoring and Attack Detection

    http://www.microsoft.com/technet/security/midsizebusiness/topics/serversecurity/attackdetection.mspx

    Oh wait, the documentation misspelled the command. And oh yes, the examples that they posted don't work even if the command is spelled correctly.

    The joys of running windows

Page 1 of 1 (4 items)