Filtering Events In The Security Log

By Author: Mike Jones
Total Articles: 256
Comment this article

To display only specific events that appear in the security log for example, attempting to write free practice questions to a text file without the necessary permissions — you can narrow down the events to display by using the Filter option.
To filter events in the security log, complete the following steps:
1.Start the Event Viewer console, view the security log, and then click Filter on the View menu.
2.In the Filter tab in the Security Properties dialog box, shown in Figure 13-15, indicate your choices of the available filtering criteria.

The Filter tab of the Security Properties dialog box Select the types of events you want to display in the Event Types area.
Select the software or component driver that logged the event in the Event Source list.
Select the event category in the Category list.
Indicate the event number that identifies the event in the Event ID box.
Indicate the user logon name in the User box.
Indicate the computer name in the Computer box.
Indicate the beginning of the range of events that you want ...
... to filter in the From list. Select First Event to see events starting with the first event in the log. Select Events On to see events that occurred starting at a specific time ancl date.
Indicate the end of the range of events that you want to filter in the To list. Select Last Event to see events ending with the last event in the log. Select Events On to see events that occurred up to a specific time and date.
3. Click OK. The events you selected for your filtered display appear in the security log.
To remove a security log filter, complete the following steps:
1.Start the Event Viewer console, view the security log, and then click Filter on the View menu.
In the Filter tab in the Security 70-685 Properties dialog box, click Restore Defaults, and then click OK.
The Kerberos Policy, which is part of the Account Policies on a Windows Server 2003 domain, controls the main authentication mechanism for the domain members. Kerberos allows access based on the issuance of service tickets. These tickets have finite lifetimes and are in part based on system time clocks. If for some reason there is more than a five-minute difference between the clock of a client computer and the clock of the domain's primary domain controller (PDC) emulator, the domain member is denied access until the discrepancy is corrected.
This typically isn't a problem for computers running Microsoft Windows 2000 Professional, Windows XP Professional, Microsoft Windows 2000 Server, and Windows Server 2003 because their time clocks are automatically synchronized when they are made members of the domain. However, since Kerberos is a standard accepted by other operating systems, such as UNIX, you may find clock skew an issue when nonMicrosoft operating systems use the Kerberos Key Distribution Center (KDC) that is built into your Active Directory domain controllers. Although you can modify the Kerberos Policy's Maximum Tolerance For Computer Clock Synchronization policy to allow computers a greater leeway in system time clock discrepancies, the best plan is to synchronize all systems to a single reliable time source.
Important When setting account policies in Active Directory, keep in mind that Windows Server 2003 allows only one account policy per domain: the account policy applied at the domain. The domain account policy is the default account policy of any computer that is a member of the domain.
Use the Resultant Set Of Policy Wizard, Gpresult and Gpupdate command-line a+ exam papers tools, Event Viewer, and log files to troubleshoot Group Policy application deployment issues.