Security Log entries on domain controllers

Hi Everyone,
I started working in an environment where they must log all security events due to regulations on one of the domains. It has 200 Windows XP and Windows 7 computers and about 200 users give or take. It has several servers including 2 Windows 2008 R2 domain
controllers.
The security log on domain controller 1 fills up to 400 MB after a week, archives the log, clears the log and starts all over again. The security log on the domain controller 2 reaches 400 MB every day and archives the entries, clears them and starts again.
Sometimes the domain controller 2 will reach 400 MB two or three times in a day.
The other sys admin tells me this issue just started three months ago and he can't determine why. Both servers only reached 400 MB once a week in the past. I've looked at the logs and don't see errors. There are a hundreds of thousands of logon\logoff events--ID
4634. It shows domain controller 1 constantly connecting to domain controller 2. This doesn't seem to be expected behavior for such a small domain? I'd appreciate any guidance on how to reduce the security entries without cutting back on logging.
Thanks,
Greg

Hi Greg,
Please post the exact event message for further troubleshooting.
In addition, please note that support for Windows XP ended on April 8, 2014, please upgrade Windows XP machines as soon as possible.
A notification about the end of Windows XP support
http://support.microsoft.com/kb/2934207
Best Regards,
Amy
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

Similar Messages

[WRT400N] Several security log entries - every minute

I have several entries in the security log that I have no idea where they are coming from. They are all blank like this:
Incorrect User login : Username is , Password is From 192.168.1.101=> Wed Mar 17 17:42:48 2010
Incorrect User login : Username is , Password is From 192.168.1.101=> Wed Mar 17 17:43:48 2010
Incorrect User login : Username is , Password is From 192.168.1.101=> Wed Mar 17 17:44:48 2010
The only exception are a few on the first day these started appearing:
ncorrect User login : Username is badcred, Password is himom
From 192.168.1.101=> Tue Mar 9 15:04:12 2010
Incorrect User login : Username is admin, Password is From 192.168.1.101=> Tue Mar 9 15:04:12 2010
Incorrect User login : Username is admin, Password is admin From 192.168.1.101=> Tue Mar 9 15:04:12 2010
Incorrect User login : Username is admin, Password is 1234 From 192.168.1.101=> Tue Mar 9 15:04:12 2010
Incorrect User login : Username is admin, Password is password From 192.168.1.101=> Tue Mar 9 15:04:12 2010
Incorrect User login : Username is , Password is admin From 192.168.1.101=> Tue Mar 9 15:04:12 2010
Incorrect User login : Username is , Password is From 192.168.1.101=> Tue Mar 9 15:04:12 2010
Incorrect User login : Username is admin, Password is motorola From 192.168.1.101=> Tue Mar 9 15:04:12 2010
Incorrect User login : Username is root, Password is From 192.168.1.101=> Tue Mar 9 15:04:12 2010
Incorrect User login : Username is , Password is password From 192.168.1.101=> Tue Mar 9 15:04:12 2010
Incorrect User login : Username is root, Password is !root From 192.168.1.101=> Tue Mar 9 15:04:12 2010
Incorrect User login : Username is Admin, Password is Admin From 192.168.1.101=> Tue Mar 9 15:04:12 2010
Incorrect User login : Username is Admin, Password is From 192.168.1.101=> Tue Mar 9 15:04:12 2010
Incorrect User login : Username is admin, Password is junxion From 192.168.1.101=> Tue Mar 9 15:04:12 2010
Incorrect User login : Username is admin, Password is cableroot From 192.168.1.101=> Tue Mar 9 15:04:12 2010
SInce I am getting blank entries every minute, I'm curious what would be causing this. The first entries are obvious that someone was trying to access with various passwords.
Solved!
Go to Solution.

Well, if it is your computer it looks as if you have some malware running on your computer which tries to hack into your router... Or did you try those passwords at any time?

OpsMgr EventId 26007 on Domain Controllers "The EventLog service reported that the Security event log on computer ' ' is corrupt."

Hi,
We are receiving several eventids '26007' from the OpsMgr log on our Domain Controllers, also eventids '26008' with similar description are logged
The EventLog service reported that the Security event log on computer '<Domain Controller Computer>' is corrupt. The Windows Event Log Provider will attempt to recover by re-opening log.
I'll appreciate any suggestion in order to solve this issue.
Regards.

I guess this issue is caused by event ID 4661 is corrupted in security event log.
Please check if you have many 4661 events in security event log and XML view cannot be viewed.
Running the below command on DC will disable the auditing of the SAM Object access. This should stop the Event ID 4661 from being logged which should stop the Alert regarding corrupt Event log:
auditpol /set /subcategory:"SAM" /success:disable /failure:disable
Regards,

Help with Powershell script to gather eventlogs from all Domain Controllers

I am trying to write a script to grab the last 5 days of application, security and system logs from all domain controllers. The script runs but only pulls the logs from the local server. The $Computer variable has all of my DC's so it is querying fine. I
assume it is an issue with my ForEach-Object line but it doesn't error out. See the script below.
$log = "Application"
$date = get-date -format MM-dd-yyyy
$now = get-date
$subtractDays = New-Object System.TimeSpan 5,0,0,0,0
$then = $Now.Subtract($subtractDays)
$Computers = Get-ADDomainController -filter *
ForEach-Object -InputObject $Computers -Process {Get-EventLog -LogName $log -After $then -Before $now -EntryType Error | select EventID,MachineName,Message,Source,TimeGenerated | ConvertTo-html | Out-File $env:TEMP\Applicationlog.htm}
Invoke-Expression $env:TEMP\Applicationlog.htm
Thanks,
Rich

Also, you're missing the -ComputerName parameter in the Get-EventLog Cmdlet.
I would re-write the loop part of the script like this:
$log = "Application"
$date = get-date -format MM-dd-yyyy
$now = get-date
$subtractDays = New-Object System.TimeSpan 5,0,0,0,0
$then = $Now.Subtract($subtractDays)
$Computers = Get-ADDomainController -filter *
foreach ($Computer in $computers) {
Get-EventLog -ComputerName $Computer -LogName $log -After $then -Before $now -EntryType Error |
select EventID,MachineName,Message,Source,TimeGenerated | ConvertTo-html | Out-File .\Applicationlog.htm -append
Invoke-Expression .\Applicationlog.htm
Sam Boutros, Senior Consultant, Software Logic, KOP, PA http://superwidgets.wordpress.com (Please take a moment to Vote as Helpful and/or Mark as Answer, where applicable)

AD get records of security log..

Hello everyone:)
i must get some records (by event id, time, etc..) of security log.
adler_steven answer me for previous my post(http://forum.java.sun.com/thread.jspa?threadID=5292943&messageID=10238354#10238354)
he sad look at http://forum.java.sun.com/thread.jspa?threadID=5116320&tstart=15
I must use WMI HTTP Mapper and some WBEM library...
Ok, i install and configure WMI HTTP Mapper and use next source for try get :) security log, by this dont work...
connect success, but retrieving information failed
adler_steven :) help me :)
*EXHIBIT A - Sun Industry Standards Source License
*"The contents of this file are subject to the Sun Industry
*Standards Source License Version 1.2 (the "License");
*You may not use this file except in compliance with the
*License. You may obtain a copy of the
*License at http://wbemservices.sourceforge.net/license.html
*Software distributed under the License is distributed on
*an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, either
*express or implied. See the License for the specific
*language governing rights and limitations under the License.
*The Original Code is WBEM Services.
*The Initial Developer of the Original Code is:
*Sun Microsystems, Inc.
*Portions created by: Sun Microsystems, Inc.
*are Copyright � 2001 Sun Microsystems, Inc.
*All Rights Reserved.
*Contributor(s): _______________________________________
import java.io.IOException;
import java.util.Enumeration;
import javax.wbem.cim.*;
import javax.wbem.client.*;
import javax.wbem.client.UserPrincipal;
import javax.wbem.client.PasswordCredential;
* This class will perform an CIMClient.execQuery using a WQL query string that
* is passed on the command line. If a query isn't passed on the command line,
* the user will be prompted for the query
public class TestQuery {
    public TestQuery(String args[]) {
        String serverName = "win2003";
        String user = "administrator";
        String pass = "welcome1";
        CIMClient cimClient = null;
        CIMObjectPath cimPath = null;
        String wbemNameSpace = "root/CIMV2";
        int wbemPortNumber = 5988;
        String wbemProtocol = CIMClient.CIM_XML;
        try {
                System.out.println("connecting..\n");
                String hostURL = "http://" + serverName + ":" + wbemPortNumber;
                CIMNameSpace cimNameSpace = new CIMNameSpace(hostURL,wbemNameSpace);
                UserPrincipal userName = new UserPrincipal(user);
                PasswordCredential userPass = new PasswordCredential(pass);
                cimClient = new CIMClient(cimNameSpace,userName,userPass,wbemProtocol);
        catch (CIMException e) {
                System.err.println("Failed to access CIMOM: " + e);
        try {
                System.out.println("get win32_ntlogevent");
                cimPath = new CIMObjectPath("Win32_NTLogEvent");
                System.out.println("cimPath");
                Enumeration e = cimClient.enumerateInstances(cimPath); // this line hang
                System.out.println("Enumeration");
                if (e.hasMoreElements()) {
                        CIMInstance ci = (CIMInstance)e.nextElement();
                        // i think, there must be properties of Win32_NTLogEvent Class, such as message, eventid, eventcode...
                        CIMProperty cp = ci.getProperty("Message");
                        System.out.println("   Message: " + cp.getValue());
                System.out.println("stop get win32..");
                cimClient.close();
        catch (NullPointerException e) {
                System.err.println("Null Pointer Exception: " + e);
        catch (CIMException e) {
                System.err.println("Failed to enumerate WBEM Info: " + e);
    public static void main(String args[]) {
     new TestQuery(args);
{code}
Edited by: Jeqpbl4 on Jun 9, 2008 4:24 AM

I figure I've abused enough people today on the forum, that it's time to redeem myself.
Firstly, as I've always admitted, I'm not a Java developer, so there may be better ways of doing this. Secondly, I'm not an expert on WBEM/WMI, so I'm not sure of the different classes, methods or properties that WBEM exposes. I think I recommended some references in the links mentioned in this post, so if you want to dig deeper, go read those.
This is just a quick and dirty WBEM query that retrieves the security events. One thing I discovered is that if you have lots of events, you'll get a heap overflow exception. I guess there may be a way to retrieve pages of results, otherwise use a more refined query to return a smaller number of records.
* WBEMQueryLog, retrieve the entries from the security log from a server
* demonstrating the use of a WBEM Query
import java.io.*;
import java.util.*;
import javax.wbem.cim.*;
import javax.wbem.client.CIMClient;
import javax.wbem.client.UserPrincipal;
import javax.wbem.client.PasswordCredential;
public class wbemquerylog {
    public static void main(String args[]) throws CIMException {
     CIMClient cc = null;
     CIMObjectPath cop = null;
     CIMInstance ci = null;
     String hostname = "myServer";
     String nameSpace = "root/CIMV2";
     int portNumber = 5988;
     String hostURL = "http://" + hostname + ":" + portNumber;
     String protocol = CIMClient.CIM_XML;
     try {
         CIMNameSpace cns = new CIMNameSpace(hostURL,nameSpace);
         UserPrincipal username = new UserPrincipal("myServer/Administrator");
         PasswordCredential password = new PasswordCredential("XXXXXX");
         cc = new CIMClient(cns,username,password,protocol);
     catch (CIMException e) {
          System.err.println("Failed to access CIMOM: " + e);
          System.exit(1);
     cop = new CIMObjectPath();
     //lets try to get the Security Log entries, using a query
     try {
          cop = new CIMObjectPath();//"Win32_NTLogEvent");
          String query = "Select * from Win32_NTLogEvent where Logfile='Security'";
          Enumeration e = cc.execQuery(cop,query,CIMClient.WQL);
          for (int i = 1;e.hasMoreElements();i++) {
               System.out.println("Event: " + i);
               System.out.println(e.nextElement());
     catch (CIMException e) {
          System.err.println("Failed to query security log: " + e);
          System.exit(1);
     System.exit(0);
}If you want to retrieve specific Security Log Events, you could construct a more complex query, such as below, which will find Account Logon Failures
String query = "Select * from Win32_NTLogEvent where Logfile='Security' And EventCode = '681'";You could also use an enumeration as you have done, the only thing I haven't bothered to work out is how to enumerate the Security log itself, rather than every event in all the logs. I guess it's just a matter of working out what the CIM Path is, if it as at all possible.
* WBEMEnumLog, enumerate the NTEventLogs from a server
* Should find out the full CIM Path for the security logs
import java.io.*;
import java.util.*;
import javax.wbem.cim.*;
import javax.wbem.client.CIMClient;
import javax.wbem.client.UserPrincipal;
import javax.wbem.client.PasswordCredential;
public class wbemenumlog {
    public static void main(String args[]) throws CIMException {
     CIMClient cc = null;
     CIMObjectPath cop = null;
     CIMInstance ci = null;
     String hostname = "myServer";
     String nameSpace = "root/CIMV2";
     int portNumber = 5988;
     String hostURL = "http://" + hostname + ":" + portNumber;
     String protocol = CIMClient.CIM_XML;
     try {
         CIMNameSpace cns = new CIMNameSpace(hostURL,nameSpace);
         UserPrincipal username = new UserPrincipal("myServer/Administrator");
         PasswordCredential password = new PasswordCredential("XXXXXX");
         cc = new CIMClient(cns,username,password,protocol);
     catch (CIMException e) {
          System.err.println("Failed to access CIMOM: " + e);
          System.exit(1);
     cop = new CIMObjectPath();
     try {
          Enumeration en = cc.enumNameSpace(cop,true);
          if (en != null) {
               while (en.hasMoreElements()) {
                    CIMObjectPath obj = (CIMObjectPath)(en.nextElement());
                    System.out.println("Namespace: " + obj.toString());
     catch (CIMException e) {
          System.err.println("Failed to enumerate namespace: " + e);
          System.exit(1);
     //lets try to get the event logs
     try {
          cop = new CIMObjectPath("Win32_NTLogEvent");
          System.out.println("Host: " + cop.getHost());
          System.out.println("Object Name: " + cop.getObjectName());
          String attrs[] = {"Logfile","Sourcename","EventIdentifier","EventType","TimeGenerated","Type","CategoryString","User"};
          Enumeration e = cc.enumerateInstances(cop,false,false,false,false,attrs);
          for (int i = 1;e.hasMoreElements();i++) {
               System.out.println("Disk: " + i);
               System.out.println(e.nextElement());
     catch (CIMException e) {
          System.err.println("Failed to enumerate Event Log: " + e);
          System.exit(1);
     System.exit(0);
}Good luck....

Audit/Log GPO changes and Logging of new addition of Domain Controllers in the Event Log

Hi all,
We am trying to log the following items in the event log for Windows 2012. This applies to a domain controller.
1) Audit any changes made to the Group Policy
2) Log the addition of new domain controllers added to the system.
We need the windows event log to record the above events for security purposes. Can anyone advise if this is doable? If yes what are the steps.
Thank you

Hi,
>>1) Audit any changes made to the Group Policy
We can enable audit for directory service object access and configure specific SACL for group policy files to do this.
Regarding how to step-to-step guide for auditing changes of group policy, the following two blogs can be referred to for more information.
Monitoring Group Policy Changes with Windows Auditing
http://blogs.msdn.com/b/ericfitz/archive/2005/08/04/447951.aspx
Auditing Group Policy changes
http://blogs.msdn.com/b/canberrapfe/archive/2012/05/02/auditing-group-policy-changes.aspx
>>2) Log the addition of new domain controllers added to the system.
Based on my knowledge, when a server is successfully promoted to be domain controller, event ID 29223 will be logged in the System log.
Regarding this point, the following thread can be referred to for more information.
Is an Event ID for a completed Domain Controller promotion logged on the PDC?
https://social.technet.microsoft.com/Forums/windowsserver/en-US/11b18816-7db0-49e2-9a65-3de0e7a9645e/is-an-event-id-for-a-completed-domain-controller-promotion-logged-on-the-pdc?forum=winserverDS
Best regards,
Frank Shen

Fetch client IP addresses from the Netlogon.log file of all domain controllers in the domain

Hi,
The event ID 5807 is logged in the system logs of domain controllers as a result of which the IP addresses for the missing subnets are logged in Netlogon.log under %systemroot%/debug. The end goal is to fetch the IP addresses along with rest of the respective
attributes from the Netlogon.log for all the domain controllers in the domain. I have the following script however, it gives me a 0KB file despite the fact that the Netlogon.log on the DC contains ample entries from last two months.
function GetDomainControllers {
$DCs=[system.directoryservices.activedirectory.domain]::GetCurrentDomain() | ForEach-Object {$_.DomainControllers} | ForEach-Object {$_.Name}
return $DCs
function GetNetLogonFile ($server) {
$path= '\\' + $server + '\c$\windows\debug\netlogon.log'
try {$netlogon=get-content -Path $path -ErrorAction stop}
catch { "Can't open $path"}
#reverse the array's order to the end of the file
[array]::Reverse($netlogon)
$IPs=@()
foreach ($line in $netlogon) {
#split the line into pieces using a space as the delimiter
$splitline=$line.split(' ')
#Get the date stamp which is in the mm/dd format
$logdate=$splitline[0]
#split the date
$logdatesplit=($logdate.split('/'))
[int]$logmonth=$logdatesplit[0]
#last month and this month
if (($logmonth -eq $thismonth) -or ($logmonth -eq $lastmonth)) {
#only push it into an array if it matches an IP address format
if ($splitline[5] -match '\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b'){
$objuser = new-object system.object
$objuser | add-member -type NoteProperty -name IPaddress -value $splitline[5]
$objuser | add-member -type NoteProperty -name Computername -value $splitline[4]
$objuser | add-member -type NoteProperty -name Server -value $server
$objuser | add-member -type NoteProperty -name Date -value $splitline[0]
$objuser | add-member -type NoteProperty -name Time -value $splitline[1]
$IPs+=$objuser
} else {
#break out of loop if the date is not this month or last month
break
return $IPs
#Get last month's date
$thismonth=(get-date).month
$lastmonth=((get-date).addmonths(-1)).month
#get all the domain controllers
$DomainControllers=GetDomainControllers
#Get the Netlogon.log from each DC
Foreach ($DomainController in $DomainControllers) {
$IPsFromDC=GetNetLogonFile($DomainController)
$allIPs+=$IPsFromDC
$allIPs | Sort-Object -Property IPaddress -Unique | Export-Csv "E:\bin\NetlogonIPs.csv"
PLEASE HELP!!

Hi jrv,
Thanks a lot for your help.
I understand you cannot keep on iterating the code for me. However, I am stuck at this error :-
ERROR : Exception calling "Parse" with "1" argument(s): "String was not recognized as a valid DateTime."
After the following code finishes executing, I get the following output :-
$csv=cat c:\windows\debug\netlogon.log |
%{'{0}|{1}' -f $_.SubString(0,14),$_.SubString(15,$_.Length-15)}|
ConvertFrom-Csv -Delimiter '|' -header time,message
time message
04/14 01:18:45
NO_CLIENT_SITE: ServerX 10.x.x.x
04/14 01:17:45
NO_CLIENT_SITE: ServerY 10.x.x.x
04/14 01:17:44
NO_CLIENT_SITE: ServerY 10.x.x.x
04/14 01:17:43
NO_CLIENT_SITE: ServerX 10.x.x.x
However, I get the above mentioned error at the following line :-
$csv|%{$_.time=[datetime]::Parse(($_.time -replace ' ','/2015 '))}
I would later want to run the query just for logs from past day.
Entire code is as follows :-
function GetDomainControllers {
$DCs=[system.directoryservices.activedirectory.domain]::GetCurrentDomain() | ForEach-Object {$_.DomainControllers} | ForEach-Object {$_.Name}
return $DCs
function GetNetLogonFile ($server) {
$path= 'C:\Test\netlogon.log'
try {$netlogon=get-content -Path $path -ErrorAction stop}
catch { "Can't open $path"}
#reverse the array's order to the end of the file
[array]::Reverse($netlogon)
foreach ($line in $netlogon) {
$csv= $netlogon | %{'{0}|{1}' -f $_.SubString(0,14),$_.SubString(15,$_.Length-15)}| ConvertFrom-Csv -Delimiter '|' -header time,message | Out-Gridview
$csv|%{$_.time=[datetime]::Parse(($_.time -replace ' ','/2015 '))}
#get all the domain controllers
$DomainControllers=GetDomainControllers
#Get the Netlogon.log from each DC
Foreach ($DomainController in $DomainControllers) {
GetNetLogonFile($DomainController)
Please help!! Any help will be highly appreciated.

Allow log on through Remote Desktop Services Group Policy for Domain Controllers

Hello,
We want to allow our Helpdesk Operators to be able to connect to Domain Controllers with the Remote Desktop Services. This is by default not allowed but according to many sites, it should be able to configure by using a Group Policy.
We made a new Group Policy with the setting 'Allow log on through Remote Desktop Services' and 'Allow log on locally' (as an extra for testing) and applied Security Filtering to only use it for a specific Security Group. Our test user is a member of this
security group and should be able to access the Domain Controllers now. However this isn't working.
The error message we receive upon trying to connect:
The connection was denied because the user account is not authorized for remote login.
For troubleshooting, we also applied the Security Group for that setting in the Default Domain Controllers Policy but that doesn't seem to work either. We want to avoid customization on our Default Domain Controllers Policy but this was just a test case
for solving our problem.
What should we do to solve our problem?
I hope to hear from you soon.
Thanks in advance.

Hi, I just found out what the problem was. This site helped me alot:
http://blogs.technet.com/b/askperf/archive/2011/09/09/allow-logon-through-terminal-services-group-policy-and-remote-desktop-users-group.aspx
In my case, I had the group added to the Allow Logon Through Remote Desktop Services but was not added to the Builtin\Remote Desktop Users group. After knowing this I made some changes to our situation and are now using the builtin\Remote Desktop Users group
rather than a new self made Security Group. I also added the Remote Desktop Users to the Allow Logon Through Remote Desktop Service in the Default Domain Controllers Policy as this is not done by default. By default only the Domain Administrators are able
to logon through remote desktop services.
You do not need the 'Log on Locally' permission within the Group Policies.
In short:
Add the desired users/groups to the 'Builtin\Remote Desktop Users' security group.
Add the 'Builtin\Remote Desktop Users' security group to the 'Allow Logon Through Remote Desktop Services' within the 'Default Domain Controllers Policy'.
Thank you anyway for the fast reply.
Have a nice day!

Security (Console log entries)

The following entries appear repeatedly every few seconds in my Console log:
10/29/07 12:24:56 PM mDNSResponder[16] handleLNTGetExternalAddressResponse: Router returned bad address
10/29/07 12:24:56 PM mDNSResponder[16] Error getting external address 3
My D-Link router is performing properly and I have no problems with the network connections between my two computers or my Internet connections.
I found four technical documents that reference mDNSResponder issues but they pertain mostly to Apple Security issues and do not suggest what might be causing the repetitive log error entries.
Any suggestions other than to just forget that I ever saw these log entries?

I did a state dump for mDNSResponder (sudo killall -INFO mDNSResponder) both before and after killing and restarting the process (sudo killall -KILL mDNSResponder). Then offender appears to be in this area:
Oct 30 19:59:15 MaxG5 Unknown23: NAT Traversals
Oct 30 19:59:15 MaxG5 Unknown23: 0080A21C UDP Int 4500 Ext 0 Err 0 Retry 822 Interval 900 Expire 0
Oct 30 20:02:01 MaxG5 Unknown355: NAT Traversals
Oct 30 20:02:01 MaxG5 Unknown355: <None>
Note the number of retries and the expire value.
After killing and having the process restart itself, the messages in the log go away. The NAT Traversals values in the mDNSResponse state appear to be gone as well.

Communication issues between domain controllers

Hi everyone,
I am experiencing some problems in communication between domain controllers in our organization
We have three domain controllers, one of them is a Windows 2003 server service pack 2 which is physical (controller A), another which is Windows 2008 Service Pack 2 (controller B), also physical, and a third one (controller C) which is a Windows 2008
service pack 1 and is virtual.
I have problems with this last DC, it won't respond to pings, or DNS query. I can't Access it by remote desktop client even when it is enabled. I cannot update it, it prompts error messages if I try to do so.
This problems are solved if I reboot it, it will work fine some hours or days, but not much longer. I have checked event viewer and I didn't found any message about this.
I read some time ago it would be great to have a DC in a virtual machine, so I did it, but is it right?
Do you know what might be going on with it? would depromoting it and seting it up again the best solución?
Thank you very much.
Best regards.
David.

This sounds like a NIC issue, which is odd since it is a virtual machine. Have you checked the host for any logs about the client?
I think the first thing I would do is destroy the current virtual NIC card and add a new one. Since this has nothing to do with Active Directory I would also suggest you post this in a forum of for the Host (VMWare or Hyper-V).
Paul Bergson
MVP - Directory Services
MCITP: Enterprise Administrator
MCTS, MCT, MCSE, MCSA, Security, BS CSci
2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
Please no e-mails, any questions should be posted in the NewsGroup.
This posting is provided AS IS with no warranties, and confers no rights.

Can't edit default domain controllers policy on windows 8 or server 2012

I have found that I can't edit the "Default Domain Controllers Policy" from a Windows 8 or Server 2012 machine. I can edit and save changes fine from a Windows 7 machine. The domain controllers are running Windows 2012 Standard upgraded
from Windows 2008 R2. Is there a security setting I am missing?

Posting the resolution from the other thread. Hope it helps!
I just accidentally resolved this issue today. I added the GPMC to a 2008 R2 server so I could make a needed firewall
change within the Windows Firewall with Advanced Security section of the Default Domain Controllers GPO (I enabled the Remote Event Log management rule for the Domain profile). About an hour later, I forgot I was using my Windows 8 machine and I went
to edit the Default Domain Controllers GPO and opened for edit without a problem. I can now edit it from Windows 8 and from Windows Server 2012. Until now, I was using a Windows 7 VM to make the edits, so in my case the problem was resolved by
editing the GPO once from a 2008 R2 machine.

802.1x WLAN auth not showing client ip in win 2008 AD security log

Hello.
I have a ongoing project configuring a cisco wlan with 802.1x, where microsoft network policy server is used for radius authentication.
Configuring the SSID on the WLC, and the 802.1x on wlc/radius server works fine, users type in their username and password on a smartphone/ipad etc and get access to the network.
The problem im facing is that I want to log the clients ip-address on the radius-server security log, so I can use cisco active directory agent to find the ip against username mapping in ironport.
The active directory agent checks the domain controllers security log to see what ip-address belongs to which user. In this scenario the user is mapped to the wlc ip, not the smartphone/ipad. The result is a lot of users mapped to the wlc ip-address, and the logs in cisco ADA/ironport is worthless.
Is there any way to configure wlc/802.1x to send the actual client ip-address to the authentication server, and not the WLC?

Please configure radius accounting on the WLC to have the required logs on the NPS server.
On the WLC, make sure we have radius accounting server configured under security > AAA > radius > accounting
After that Go to WLAN, edit the WLAN > security > AAA server and enable radius accounting.
Radius accounting on NPS logs
http://technet.microsoft.com/en-us/library/dd197475%28v=ws.10%29.aspx
Regards,
Jatin

2012 DC getting numerous 5152 errors in Security log

I have a DC running Windows Server 2012 (not R2) which has recently started getting numerous failed audit entries in its security log, ID 5152.
The source IP seems to include about half a dozen in use by domain PCs (all Windows 7). The source and destination port varies depending on which PC generating the error, but they do not change with regards to each PC. For example, when source IP is 192.168.1.113,
the source and destination ports for all of the errors generated by that IP never change.
This is a real puzzle. I've seen external logon attempts in the past on other servers when port 3389 was open to the internet. But in those cases the same IP tried different logon names and different ports. In this case, there is no username, nor does the
error even have a place to display a username. It's just source and destination IP/Port, the protocol which is always 17.
Anyone seen anything like this? Any ideas on what might be going on? Let me know if more information is needed.
Jonathan

Make sure that viruses are not behind this behaviour.
Use Process Monitor to make diagnostics.
Regards
Milos
I know what Process Monitor is but have never used it so I have no idea how to use it for this issue.
Jonathan

Parse Security Logs for User Account logon Computer Name

Greetings,
I was recently tasked with creating a list of user accounts and the computer in which they logged onto. Unfortunately, we do not have time to use the logon script method. I believe we can achieve this goal using software similar to LANSweeper
however not all computers will be turned on at a given time and I believe this application gathers it's information from the client PC. One possible solution I see is parsing the data from our domain controllers Security Logs / Successful Logons however
this is proving to be a challenge. Any suggestions?
Thanks,
Chris

Hi Chris,
I was recently tasked with creating a list of user accounts and the computer in which they logged onto.
I believe we can achieve this goal using software.
There is no built-in tool to complete this task.
However, we can configure event log trigger to send email when specific logon events are generated.
Here are some related articles below for you:
Getting event log contents by email on an event log trigger
http://blogs.technet.com/b/jhoward/archive/2010/06/16/getting-event-log-contents-by-email-on-an-event-log-trigger.aspx
Send an email when an event is logged
http://blogs.iis.net/rickbarber/archive/2012/10/26/send-an-email-when-an-event-is-logged.aspx
Best Regards,
Amy
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

Poodle, SSL, and Domain Controllers

Security Gurus,
Can someone please explain to me how I can use Microsoft Network Monitor on a Domain Controller so that I can discover what applications and clients are using SSL 3.0?
I have enabled verbose schannel logging, and with that I know there are clients/apps talking SSL 3.0, however, the event 36880 doesn't give a source address - it just says an SSL handshake completed successfully using the SSL 3.0 protocol.
It's my hope that Network Monitor will reveal the source address of the clients/apps talking SSL 3.0. As you might know, capturing all packets on a DC generates an enormous amount of data; I'm hoping NM has some type of filter that I can use to only
capture the SSL version packets.
Regards,
'T'

Senne,
Thank you for your response. However, I cannot disable SSLv3 because there are 3rd party applications that are dependent upon it.
What I'm try to accomplish is finding the source address of clients/apps that are communicating with the Domain Controllers using SSLv3. Once I have those source addresses I can begin communicating with the clients/app owners to let them know we are
disabling SSLv3.
It's my hope that I can achieve this using Network Monitor, however, I don't know what filters to use to capture that information.
Regards,
'T'

Security Log entries on domain controllers

Similar Messages

Maybe you are looking for