eSourceONE
asked on
Files Access Auditing - Win Server 2003
Hello,
This shouldn't really be a problem, but for some odd reason, we are having problems enabling file access auditing on one of our Windows machines.
The server is an Active Directory member server. An audit policy has been created on the folder (auditing "everyone" - full control (failed and successful) including all files and subfolders, and having been inherited to the child folders). In addition, failed, and successful object access has been enabled in the local security policy of the machine. No group policys define this value otherwise. The partition on which the folder to to be audited resides is formatted as an NTFS parition.
For everything done on this machine, we get hundreds of log entries. The only problem is, that which we want logged is not being logged - who touched what file and how they accessed it (at least the file name and path are seen nowhere in any entry).
I've done enough troubleshooting, (re)read MSDN articles, etc.
(http://support.microsoft.com/kb/310399/en-us - it applies for XP, but the method is the same)
Does anyone have any ideas what the problem might be and if there are any other options that affect these settings?
This shouldn't really be a problem, but for some odd reason, we are having problems enabling file access auditing on one of our Windows machines.
The server is an Active Directory member server. An audit policy has been created on the folder (auditing "everyone" - full control (failed and successful) including all files and subfolders, and having been inherited to the child folders). In addition, failed, and successful object access has been enabled in the local security policy of the machine. No group policys define this value otherwise. The partition on which the folder to to be audited resides is formatted as an NTFS parition.
For everything done on this machine, we get hundreds of log entries. The only problem is, that which we want logged is not being logged - who touched what file and how they accessed it (at least the file name and path are seen nowhere in any entry).
I've done enough troubleshooting, (re)read MSDN articles, etc.
(http://support.microsoft.com/kb/310399/en-us - it applies for XP, but the method is the same)
Does anyone have any ideas what the problem might be and if there are any other options that affect these settings?
enriquecadalso
Hello. You have to enable "Audit object access" setting. Edit the Default Domain Policy (or any other policy that you are applying to the OU where the server is), and go to Computer configuration, windows settings, local policies, audit policy. There you can define what actions will be in the audit logs.
ASKER
Yes, that has been configured through the local security policy.
ASKER
Here are the current settings. Unfortunately, I only have them in German, however, I think they are more or less obvious.
The LSP settings show that Object Acess is being audited - both successfull, and failed
The Folder's audit settings show that I am auditing for "everyone" / Full Control / apples to "This folder, subfolders, and files" / The settings have been passed on to child objects by enabling the second checkbox. I have also confirmed that they were inherited to subfolders, files, etc.
As stated, we are getting thousands of Object Access log entries, however none which contain the file name accessed, who accessed it, and how.
LSP.PNG
Audit-Settings.PNG
The LSP settings show that Object Acess is being audited - both successfull, and failed
The Folder's audit settings show that I am auditing for "everyone" / Full Control / apples to "This folder, subfolders, and files" / The settings have been passed on to child objects by enabling the second checkbox. I have also confirmed that they were inherited to subfolders, files, etc.
As stated, we are getting thousands of Object Access log entries, however none which contain the file name accessed, who accessed it, and how.
LSP.PNG
Audit-Settings.PNG
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It seems to work now. All I did was to recreate the auditing to a folder next to it, and test auditing my user only. That worked fine, as did the following audit of my user to the initial folder. Finally, I changed it to "everyone" and it works. The configuration is the same, all checkboxes identical to the way they were before.
Thanks for your help!
Thanks for your help!
ASKER
The solution was to recreate the auditing, using the same settings as posted in the screenshots.