Monday, September 21, 2009

Security logs on client PCs fill up after joining a SBS 2008 domain

The Problem:
After joining a PC to a SBS 2008 domain, you may soon notice that users cannot log into the machine and the following error is displayed on the logon box: "The security log on this system is full. Only administrators can log on to fix the problem." Or if you log in via RDP you will see the logon message "The security log on this system is full."

The Solution:
Change the log size and/or retention settings for the security log. You can either do this locally or via a GPO.

Locally: Open event viewer (run >> eventvwr), right click the security log, select properties and edit the appropriate settings under the "Log Size" section. Increase the log size for a temporary fix or select "Overwrite events as needed" or "Overwrite events older than" and select a value in days that you're sure won't cause the log to fill up before that number of days has passed.

From a GPO: Look at the options for Security Logs in the following GPO node: Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Event Log. Specifically, I chose to edit the "Maximum Security Log Size" and "Retention Method for Security Log" options.

The Long Story:
After I joined the very first client to my new SBS 2008 domain, I noticed an error upon logging in via RDP: "The security log on this system is full." It was an XP SP2 machine and when I checked the security log I noticed a ton of event numbers 538, 540 and 576 (Logon/Logoff and Privilege Use events). They were logged for users MyServerName$ and SBSMonAcct.

A quick search of the SBSMonAcct user reveals that it is a special account that is created, used and deleted on the fly by SBS 2008. So apparently there's a lot more interaction on the SBS machine's behalf with the client PCs than I first knew about. The security log settings on the XP client were set to cap the security log at an underwhelming 64K and to retain the log for 7 days. With all of those logon/logoff events the log was filling up well before the 7 day limit. I wanted to make sure this didn't happen on any other machines on the domain.

On the SBS box, I edited the "Windows SBS Client Policy" GPO that is created by default and linked to the default SBSComputers OU. I moved to the following GPO node: Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Event Log. I edited the following options:

  • Maximum Security Log Size: 16,384 kilobytes (the default when you enable this policy)
  •  Retention Method for Security Log: Overwrite events as needed (This place isn't a high security environment and I think 16 megs of security events should be enough. If I need to retain more than that I can change the settings as needed.)
And all was well in the land.

No comments:

Post a Comment