Not beneficial at the moment. Also if success auditing is on, our 100MB logs would roll within a couple hours tops. We have some 250,000 users and about 375 domain controllers processing millions of authentications daily. We don't even really do much with failed logons other than ocasionally chase worms/viruses/lockouts. If we came up with a valid use for the successes and could successfully harvest them to a centralized location we probably would; but we would need good reason to go after it.
Some people may go shame shame not watching for bad authentications for hacking attempts but it is a horsepower thing. We would have to first pull out the multiple bads that couldn't be attributed to bugs in Outlook or PDA's or other poorly written apps then try to identify the security group responsible for the userid in question which is a huge task in a multinational multidivisional company all by itself. Then have to get them to own up to chasing the machine and the user down. All something we would like to do some day when everything else gets down to a dull roar. :o) joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Thursday, December 25, 2003 4:45 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] How large are your security logs on your DC's? Are you utilizing some alternate technique of tracking when users logon? Or do you feel that it's not beneficial enough to include? >Our auditing is > >Account logon events failure >Account management success/failure >Logons failure >Object access none >Policy changes success/failure >Privilege use Success/failure >Process tracking none >System events success/failure List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
