In this practice, you use Group Policy to enable auditing of logon activity by users in the contoso.com domain. You then generate logon events and view the resulting entries in the event logs.
exercise 1 Configure Auditing of Account Logon Events
In this exercise, you modify the Default Domain Controllers Policy GPO to implement auditing of both successful and failed logons by users in the domain.
1. Open Group Policy Management from the Administrative Tools program group.
2. Expand Forest, Domains, Contoso.com, and Domain Controllers.
3. Right-click Default Domain Controllers Policy and choose Edit.
Group Policy Management Editor appears.
4. Expand Computer Configuration, Policies, Windows Settings, Security Settings, and Local Policies, and then click Audit Policy.
5. Double-click Audit Account Logon Events.
6. Select the Define These Policy Settings check box.
7. Select both the Success and Failure check boxes. Click OK.
8. Double-click Audit Logon Events.
9. Select the Define These Policy Settings check box.
10. Select both the Success and Failure check boxes. Click OK.
11. Close Group Policy Management Editor.
12. Open Command Prompt and type gpupdate.exe /force.
This command causes SERVER01 to update its policies, at which time the new auditing settings take effect.
exercise 2 Generate Account Logon Events
In this exercise, you generate account logon events by logging on with both incorrect and correct passwords.
1. Log off of SERVER01.
2. Attempt to log on as Administrator with an incorrect password. Repeat this step once or twice.
3. Log on to SERVER01 with the correct password.
exercise 3 Examine Account Logon Events
In this exercise, you view the events generated by the logon activities in Exercise 2.
1. Open Event Viewer from the Administrative Tools program group.
2. Expand Windows Logs, and then click Security.
3. Identify the failed and successful events.
Lesson Summary
n Account logon events occur on a domain controller as it authenticates users logging on anywhere in the domain.
n Logon events occur on systems to which users log on—for example, to their individual desktops and laptops. Logon events are also generated in response to a network logon—for example, when a user connects to a file server.
n By default, Windows Server 2008 R2 systems audit successful account logon and logon events.
n To examine account logon events in your domain, you must look at the individual event logs from each domain controller.
Lesson Review
You can use the following questions to test your knowledge of the information in Lesson 2,
“Auditing Authentication.” The questions are also available on the companion CD if you prefer to review them in electronic form.
Note anSwerS
Answers to these questions and explanations of why each answer choice is right or wrong are located in the “Answers” section at the end of the book.
1. You want to obtain a log that will help you isolate the times of day that failed logons are causing a user’s account to be locked out. Which policy should you configure?
a. Define the Audit Account Logon Events policy setting for Success events in the Default Domain Policy GPO.
B. Define the Audit Account Logon Events policy setting for Failure events in the Default Domain Policy GPO.
c. Define the Audit Logon Events policy setting for Success events in the Default Domain Policy GPO.
D. Define the Audit Logon Events policy setting for Failure events in the Default Domain Policy GPO.
2. You want to keep track of when users log on to computers in the human resources department of Adventure Works. Which of the following methods will allow you to obtain this information?
a. Configure the policy setting to audit successful account logon events in the Default Domain Controllers GPO. Examine the event log of the first domain controller you installed in the domain.
B. Configure the policy setting to audit successful logon events in a GPO linked to the OU containing user accounts for employees in the human resources department. Examine the event logs of each computer in the human resources department.
c. Configure the policy setting to audit successful logon events in a GPO linked to the OU containing computer accounts in the human resources department.
Examine the event logs of each computer in the human resources department.
D. Configure the policy setting to audit successful account logon events in a GPO linked to the OU containing computer accounts in the human resources department. Examine the event logs of each domain controller.
Lesson 3: configuring read-only Domain controllers
Branch offices present a unique challenge to an enterprise’s IT staff: If a branch office is separated from the hub site by a wide area network (WAN) link, should you place a domain controller (DC) in the branch office? In previous versions of Windows, the answer to this question was not a simple one. Windows Server 2008, however, introduced a new type of domain controller—the read-only domain controller (RODC)—that made the question easier to answer. In this lesson, you explore the issues related to branch office authentication and domain controller placement, and you learn how to implement and support a branch-office RODC.
After this lesson, you will be able to:
■ Identify the business requirements for RODCs.
■ Install an RODC.
■ Configure password replication policy.
■ Monitor the caching of credentials on an RODC.
Estimated lesson time: 60 minutes