[gptalk] Re: 'Audit privilege use' won't turn off

  • From: "Andrew McHale" <Andrew.McHale@xxxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Wed, 6 Aug 2008 11:49:09 +0100

Hi all.

Yes that registry key does exist on this workstation but it has a Binary
value of 00 which I believe is disabled from what I read.

This is a brand new XP SP3 (fully patched) install so no-one has
"created" this key. I therefore assume it is present by default now.


Using my existing GPO the 'Audit privilege use' shows 'No auditing' in
the local security policy and has the System GP icon next to it.

If I then remove the setting from the GPO and reboot the workstation it
still shows as 'No auditing' but now has the Local GP icon next to it.

In either situation I am still getting Privilege Use events in my
Security log!

If I set my existing GPO to audit only 'Failure' events it still logs
successful privilege use.


Every event has an ID of 576 which, according to Technet
(http://technet.microsoft.com/en-us/library/cc784501.aspx) means:

"Specified privileges were added to a user's access token. Note: This
event is generated when the user logs on."

Should this event be covered by the 'Audit privilege use' setting as it
seems to be a privilege Alteration rather than Use

Anyone else got any ideas?

Andrew



-----Original Message-----
From: jfvanmeter@xxxxxxxxxxx [mailto:jfvanmeter@xxxxxxxxxxx] 
Sent: 05 August 2008 18:33
To: gptalk@xxxxxxxxxxxxx; gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: 'Audit privilege use' won't turn off

did anyone ever create this reg
HKLM\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing key  I
know it will enable a ton of user privileges being logged

--
"When the legend becomes fact, print the legend." 


 -------------- Original message ----------------------
From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
> Andrew-
> 
> Strange. What happens if you try disabling it on the local GPO on the 
> workstation?
> 
> 
> Darren
> 
>  
> 
> From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]

> On Behalf Of Andrew McHale
> Sent: Tuesday, August 05, 2008 8:20 AM
> To: gptalk@xxxxxxxxxxxxx
> Subject: [gptalk] 'Audit privilege use' won't turn off
> 
>  
> 
> Hi all.
> 
>  
> 
> I have set the attribute "Audit privilege use" to "No auditing" in my 
> default domain policy.
> 
>  
> 
> I have run RSOP on a workstation and it confirms this setting is 
> inherited from my default domain policy and set to No auditing, yet I 
> still get these events appearing in my security log.
> 
>  
> 
> Any idea why?
> 
>  
> 
> Many thanks
> 
>  
> 
> Andrew
> 
>  
> 


***********************
You can unsubscribe from gptalk by sending email to 
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by 
logging into the freelists.org Web interface. Archives for the list are 
available at http://www.freelists.org/archives/gptalk/
************************

Other related posts: