2

I want to audit registry related events (modify key delete key etc) , so i enabled it via group policy and setup a "Global Object Access Auditing" for auditing on "Authenticated Users". Unfortunately the event count it too high and almost 95% of them are from "NT SYSTEM". Below are my questions;

-> Why is "NT SYSTEM" part of "Authenticated Users"? -> What should i select in the "Global Object Access Auditing", which limits auditing to all interactive and non interactive users except SYSTEM.?

Edit: If i were to use, "Domain Users" i need to create seperate entry for each domain in the forest and out fo forest; i am wishing, it were to be last resort move.

Darktux
  • 827
  • 5
  • 20
  • 36

1 Answers1

0

Authenticated users is not a group that contains members. It's a condition.

Set it to Domain Users.

Matt
  • 1,883
  • 5
  • 26
  • 39
  • Should i be creating seperate entry for all the domains in the forest? and same with the out of forest domains? – Darktux Jun 15 '16 at 14:25
  • This is a vital bit of information that wasn't in our question prior to your edit. You could get around this by creating a universal security group in your forest root domain and making Domain Users from each child domain a member. – Matt Jun 15 '16 at 22:26