Help auditing object access

Hello,

I would like to implement object access auditing on one particular member of our domain. One day I plan to learn all about windows security, but today is not that day.  I'm responsible for our network, but it's not what I actually DO here.

Anyway, our server is Win2003. Management wants a somewhat disgruntled employee monitored.  Can someone give me a step-by-step on how to implement object access auditing on all file/folder access by Person A on the entire contents of (for example) F:\files\
LVL 2
firebird-scAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

firebird-scAuthor Commented:
Anyone ...?
mdiglioCommented:
Hello,
Yes this can be done through group policy.

First you must set a policy on the target machine that holds the files
you want to audit. If you want this done on multiple machines there is another way
but based upon what you said I will give you the easier way to do it for just one machine

From the server that holds the files click start >> run >> type gpedit.msc >> click OK >>
expand Computer configuration >> Windows settings >> security settings >> local policies >>
now click on 'Audit Policy' >> on the right side of your screen double click 'Audit Object Access'
Now set that now check 'success' and/or 'failure' based upon what you would like to monitor

Next we need to allow auditing on the particular folder.
From the same server open windows explorer/my computer and navigate to the folder in question >>
right click >> properties >> security tab >> click the 'advanced' button > Now click the 'auditing' tab
From here you can Add the user you would like to monitor.

Their activities will now be displayed in the event viewer of the server
right click My Computer >> manage >> expand 'system tools' >> expand 'Event Viewer' >> Click on 'Security'

Depending upon the user's usage you might want to increase the default size of the security event log
by right clicking security >> properties >> increase maximum log size.

also to help weed through all the events you can
right click the security log >> view >> then use the filter

Hope this helps
firebird-scAuthor Commented:
Thanks for the reply!  

One problem - when I open the GPEditor the Security Settings icon in the left side and its subfolders Account Policies and Local Polices, as well as their subfolders, all have a little lock symbol on the icon, and I'm not able to change any of the properties stored within them.  I'm logged in as Administrator.
Angular Fundamentals

Learn the fundamentals of Angular 2, a JavaScript framework for developing dynamic single page applications.

mdiglioCommented:
Ok, we will have to do this the other way.

Have you ever created or edited group policies ?
If not download this and install it on your workstation.

http://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en

This will allow you to create, edit and view group policies.
What we tried the first time was editing your local policy.
There are other policies that are being applied at a higher level.
We need to edit an existing policy or create a new policy but I need more info first

Do you know what OU this server is in ?

please run this from the command prompt of the server that you want to audit.
click start >> run >> cmd >> click ok >> gpresult /scope:computer

Give us the list of group policies under the heading of
"Applied Group Policy Objects"
firebird-scAuthor Commented:
Thanks. I hadn't downloaded that editor, so I'm sure that will help.

According to gpresult,

OU=domain controller

Applied Group Policy Objects
Default Domain Controllers Policy
Default Domain Policy
Local Group Policy

It's just the one server on our small network.
Headin' home now but I'll be back Monday - have a good weekend.
mdiglioCommented:
Ok, thanks for the info...
your account is a member of the domain admin group...right ?

Open the GPMC ( you might have to point it to your forest/domain )
Under the container called 'Group Policy Objects' you will see one
called 'default domain controller policy'
( !! its important not to confuse this w/ the default domain policy !! )

right click this and select edit.

expand Computer configuration >> Windows settings >> security settings >> local policies >>
now click on 'Audit Policy'  >>  double click 'Audit Object Access'
Now set that now check 'success' and/or 'failure' based upon what you would like to monitor

Hope this one works for you !
firebird-scAuthor Commented:
Okay, that worked great. I was able to set the auditing to success or failure.  This, I assume, will be for all domain users.   Can I limit the auditing to specific users?
mdiglioCommented:
actually right now its not setup to aidut anyone.
Here is a cut and paste from my 1st post:

Next we need to allow auditing on the particular folder.
From the same server open windows explorer/my computer and navigate to the folder in question >>
right click >> properties >> security tab >> click the 'advanced' button > Now click the 'auditing' tab
From here you can Add the user you would like to monitor.

Their activities will now be displayed in the event viewer of the server
right click My Computer >> manage >> expand 'system tools' >> expand 'Event Viewer' >> Click on 'Security'

Depending upon the user's usage you might want to increase the default size of the security event log
by right clicking security >> properties >> increase maximum log size.

also to help weed through all the events you can
right click the security log >> view >> then use the filter

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mdiglioCommented:
Did that explain it ?
firebird-scAuthor Commented:
Excellent assistance!  Thank you very much, you saved me a lot of time trying to muddle through this on my own.

thanks!
mdiglioCommented:
Glad you got it going.
Thanks for the points
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.