Solved

Windows 2000 server Auditing problem with existing directories/shares

Posted on 2002-03-09
7
196 Views
Last Modified: 2010-04-14
Ok stay with me on this one :)

I am running windows 2000 server.  I've turned on file/folder auditing for the domain policy (active
directory), I turned it on after creating my directories/shares from what I can recall.  Service pack
2 is applied, all critical updates are applied. the problem is when I want to turn on auditing on my
current shared objects (folder, files), nothing shows up in the security log.  Now if it would be only
that I'd say I missed a step, I've checked and doublechecked every options, everything is fine exept
it won't show up.

Now the funny thing is I tried creating a new directory and share.  I put the same settings, and this
time it audits everything like it should.  If I delete the shared directory, remove all the files, reboot,
recreate it and reapply permissions, it won't work if it's the same name as before.  This is really
weird since it works on anything new I create.

One strange thing I've noticed though is that when I recreated the directory (which was deleted and
I've rebooted since then) and go in security->advanced->audit, the previous objects are still there
and active.  Is this a bug or me doing something really nasty?  Normally when you delete something,
it's supposed to be erm.. deleted. no?  

Like I said, the auditing works fine when creating new directories... so it's really on the existing
items that I am having a hard time and I don't want to create new names, I want to solve this problem.
 200 points for this one if I get a solution that fix the problem, not work around it.

Thanks for anyone's input.
0
Comment
Question by:teeceecee
7 Comments
 
LVL 14

Expert Comment

by:AvonWyss
ID: 6854301
The auditing defined in the GPU is only applied to new files and directories. To enable auditing on an existing dir, open the properties, security, advanced, auditing, and add the auditing you want to have.

To apply security settings throughout your domain, you can define ACLs to be applied/replaced on files in the GPO.
0
 
LVL 9

Expert Comment

by:gregcmcse
ID: 6855630
Well, I'm not sure this is the answer, but since you didn't mention doing it, I'll ask:

Did you grant the "Generate Security Audits" right to the "Administrators" local group on the domain policy?

(Can be found in the Domain Policy under:  Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment)

I'm not sure (would need to look it up), but I believe you need to make that change under the Domain Controller policy as well if your server is a domain controller.

Because you're getting auditing of new directories, I'm not sure this is the issue -- but I'd check it.  Hope this helps!
0
 

Author Comment

by:teeceecee
ID: 6860935
I did all this, I did add the extra auditing on the file/directory that I wanted to audit (even the older that aren't working, I went thru them one by one, and besides my logging needs aren't the same for let's say /finance than they are for /public so I had to go thru them to change it anyways).  I even explicitly told it to log my account on anything happening on the directory (read, access, etc) and like I said, if I do it on a newer dir, put the same values, it works just like it should.

As for the "generate security audits" it had nothing in it, I added administrator and administrator@xyz but it's still not working...


0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 9

Expert Comment

by:gregcmcse
ID: 6862307
Did you run
"secedit /refreshpolicy machine_policy /enforce" from the command line to make sure the policy took effect immediately?  Is "audit object access" enabled in the policy?

On a different note:  is it possible this machine is running NTFS 4 or earlier on the volume in question?  It would be if it were originally formatted under NT 4 or earlier (if the server was upgraded from NT 4, for example).

If those don't pan out, try checking out this Microsoft knowledge base article (line may be wrapped):

http://support.microsoft.com/support/kb/articles/q300/5/49.asp
0
 

Author Comment

by:teeceecee
ID: 6862747
I am not familiar with secedit, I'll read about it and try stuff around it, but I did try to see if anything changed from day to day to see if  anything could have been screwed with the policy activation (and rebooted after changing something too, I could afford the downtime to fix that stupid issue), I think it usually takes 45 minutes for the domain policies to replicate among servers, in my case it's a single domain controller, and every time I did a mofification on anything it worked like it should, it's not upgraded from NT4, it's a pure win2000 server clean install.

0
 
LVL 11

Expert Comment

by:ewtaylor
ID: 8904577
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:
[paq refund]
Please leave any comments here within the next seven days.
 
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
 
[ewtaylor]
EE Cleanup Volunteer
0
 
LVL 6

Accepted Solution

by:
Mindphaser earned 0 total points
ID: 8997259
Force accepted

** Mindphaser - Community Support Moderator **
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
IS THERE A TOOL THAT CAN TELL YOU ALL SERVICE ACCOUNTS THAT ARE RUNNING ON A SERVER? 6 116
Registry Error Stop 0X0000051 3 2,780
Windows WEb Server sp2 13 517
Windows 7 7 258
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Note: This is the second blog post in a series on email clearinghouses (https://www.xmatters.com/alert-management/blog-email-has-failed-us?utm_campaign=70138000000ydLoAAI&utm_source=exex&utm_medium=article&utm_content=blog-post).   Every month t…
Along with being a a promotional video for my three-day Annielytics Dashboard Seminor, this Micro Tutorial is an intro to Google Analytics API data.
Many functions in Excel can make decisions. The most simple of these is the IF function: it returns a value depending on whether a condition you describe is true or false. Once you get the hang of using the IF function, you will find it easier to us…

912 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now