Frequently Asked Questions About Auditing Under the NT 5.0 Post-Beta 1 Release

Q: In the Security Configuration Editor (SCE), what happens if I audit successful and failed events for all of the attributes in the Audit Policy?

You will be auditing all events, which can create information overload and decrease the performance of your system.

Q: Every time I turn on Audit Account Management in the SCE Audit Policy attributes, it turns itself off. Why?

The post-beta 1 release (i.e., 1773 build) of NT 5.0 does not fully support this feature.

Q: Why am I generating dozens of logon and logoff events in the Security Log of the Event Viewer when I'm seemingly auditing few attributes?

Each time users query or access the Active Directory (AD), many Kerberos security authorizations occur. These authorizations constitute the large numbers of logon authorizations you are seeing. (For more information about Kerberos in NT 5.0, see Mark Russinovich, "Windows NT Security, Part 1," May 1998; Mark Russinovich, "Windows NT Security, Part 2," June 1998; Michael E. Chacon, "Kerberos Is on Guard in Windows NT 5.0," October 1997; and Mark Minasi, "Kerberos and NT 5.0," August 1997.)

Q: Why don't any of the events in the Security Log seem to hold any sensible data?

In the post-beta 1 release, the events do not yet have proper names, so expanding them gives you meaningless information, unless you know how to decode object identifiers. When NT 5.0 ships, these events will contain text strings, for which you can set up filters.

Q: AD spans multiple domain controllers, yet you must use SCE to enable auditing on individual servers. Why?

In AD, different domains in a network share a Global Catalog (GC), which contains summarized information (e.g., object attributes) for faster searches within those domains. However, an enterprise has only one GC, so you must set up GC replicas on each domain controller. (For more information about GC and GC replicas, see Mark Minasi, "NT 5.0 Gets Better and Better--Mostly," December 1997.) As a result, you need to enable auditing individually on all servers. To make the job easier, you can use SCE to define a security policy template for your domain controller and then apply that template to other domain controllers. Using a template not only saves you time, but also ensures all your domain controllers are using the same auditing policy.