I've enabled success and failure for object access for the default domain GPO and the Default DC GPO as well. I've also enabled auditing for the file itself and put the group that I want auditing for in the acl and checked that auditing is enabled for that file and for that group.
Restarted more than once and have run gpupdate on both - several times.
As a test I log into client01 as a user in that group and access this file located on the dc and try to delete it - access denied - this is good since it's read only for the group.
I check the dc event log - no entries for object access at all. I check the client system and there is only one entry for security which gets wiped out everytime a new user logs in. I want the local machine to NOT wipe out entries and to audit the file located on the DC.
Can anyone set me straight on this one? ( no ariticles please, thanks)
Thanks in advance!