2015. május 27., szerda

"Verbose" event logging in Windows

The behavior that my Windows 2008 Network Policy Server (aka Radius Server) did not log the successfully authorized usernames always bothered me. Fortunately there is a way to get that stupid habit to work as expected.
Open an elevated command promt and type this to get a list of your event categories and their subcategories:
Auditpol /list /subcategory:* /r  (optional)

Then type: (note that category name strings are localized!)
Auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable  
and... backup your policy(ies):
Auditpol /backup /file:C\mypolic.csv  (optional)

Another method to log both Event 6273 and 6279 could be done via a GPO:
Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies -> Logon/Logoff -> Audit Network Policy Server (set both success and failure to enable). Don't forget to gpupdate /force.

Further reading here.

Nincsenek megjegyzések:

Megjegyzés küldése