firebird-sc
asked on
Help auditing object access
Hello,
I would like to implement object access auditing on one particular member of our domain. One day I plan to learn all about windows security, but today is not that day. I'm responsible for our network, but it's not what I actually DO here.
Anyway, our server is Win2003. Management wants a somewhat disgruntled employee monitored. Can someone give me a step-by-step on how to implement object access auditing on all file/folder access by Person A on the entire contents of (for example) F:\files\
I would like to implement object access auditing on one particular member of our domain. One day I plan to learn all about windows security, but today is not that day. I'm responsible for our network, but it's not what I actually DO here.
Anyway, our server is Win2003. Management wants a somewhat disgruntled employee monitored. Can someone give me a step-by-step on how to implement object access auditing on all file/folder access by Person A on the entire contents of (for example) F:\files\
Hello,
Yes this can be done through group policy.
First you must set a policy on the target machine that holds the files
you want to audit. If you want this done on multiple machines there is another way
but based upon what you said I will give you the easier way to do it for just one machine
From the server that holds the files click start >> run >> type gpedit.msc >> click OK >>
expand Computer configuration >> Windows settings >> security settings >> local policies >>
now click on 'Audit Policy' >> on the right side of your screen double click 'Audit Object Access'
Now set that now check 'success' and/or 'failure' based upon what you would like to monitor
Next we need to allow auditing on the particular folder.
From the same server open windows explorer/my computer and navigate to the folder in question >>
right click >> properties >> security tab >> click the 'advanced' button > Now click the 'auditing' tab
From here you can Add the user you would like to monitor.
Their activities will now be displayed in the event viewer of the server
right click My Computer >> manage >> expand 'system tools' >> expand 'Event Viewer' >> Click on 'Security'
Depending upon the user's usage you might want to increase the default size of the security event log
by right clicking security >> properties >> increase maximum log size.
also to help weed through all the events you can
right click the security log >> view >> then use the filter
Hope this helps
Yes this can be done through group policy.
First you must set a policy on the target machine that holds the files
you want to audit. If you want this done on multiple machines there is another way
but based upon what you said I will give you the easier way to do it for just one machine
From the server that holds the files click start >> run >> type gpedit.msc >> click OK >>
expand Computer configuration >> Windows settings >> security settings >> local policies >>
now click on 'Audit Policy' >> on the right side of your screen double click 'Audit Object Access'
Now set that now check 'success' and/or 'failure' based upon what you would like to monitor
Next we need to allow auditing on the particular folder.
From the same server open windows explorer/my computer and navigate to the folder in question >>
right click >> properties >> security tab >> click the 'advanced' button > Now click the 'auditing' tab
From here you can Add the user you would like to monitor.
Their activities will now be displayed in the event viewer of the server
right click My Computer >> manage >> expand 'system tools' >> expand 'Event Viewer' >> Click on 'Security'
Depending upon the user's usage you might want to increase the default size of the security event log
by right clicking security >> properties >> increase maximum log size.
also to help weed through all the events you can
right click the security log >> view >> then use the filter
Hope this helps
ASKER
Thanks for the reply!
One problem - when I open the GPEditor the Security Settings icon in the left side and its subfolders Account Policies and Local Polices, as well as their subfolders, all have a little lock symbol on the icon, and I'm not able to change any of the properties stored within them. I'm logged in as Administrator.
One problem - when I open the GPEditor the Security Settings icon in the left side and its subfolders Account Policies and Local Polices, as well as their subfolders, all have a little lock symbol on the icon, and I'm not able to change any of the properties stored within them. I'm logged in as Administrator.
Ok, we will have to do this the other way.
Have you ever created or edited group policies ?
If not download this and install it on your workstation.
http://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en
This will allow you to create, edit and view group policies.
What we tried the first time was editing your local policy.
There are other policies that are being applied at a higher level.
We need to edit an existing policy or create a new policy but I need more info first
Do you know what OU this server is in ?
please run this from the command prompt of the server that you want to audit.
click start >> run >> cmd >> click ok >> gpresult /scope:computer
Give us the list of group policies under the heading of
"Applied Group Policy Objects"
Have you ever created or edited group policies ?
If not download this and install it on your workstation.
http://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en
This will allow you to create, edit and view group policies.
What we tried the first time was editing your local policy.
There are other policies that are being applied at a higher level.
We need to edit an existing policy or create a new policy but I need more info first
Do you know what OU this server is in ?
please run this from the command prompt of the server that you want to audit.
click start >> run >> cmd >> click ok >> gpresult /scope:computer
Give us the list of group policies under the heading of
"Applied Group Policy Objects"
ASKER
Thanks. I hadn't downloaded that editor, so I'm sure that will help.
According to gpresult,
OU=domain controller
Applied Group Policy Objects
Default Domain Controllers Policy
Default Domain Policy
Local Group Policy
It's just the one server on our small network.
Headin' home now but I'll be back Monday - have a good weekend.
According to gpresult,
OU=domain controller
Applied Group Policy Objects
Default Domain Controllers Policy
Default Domain Policy
Local Group Policy
It's just the one server on our small network.
Headin' home now but I'll be back Monday - have a good weekend.
Ok, thanks for the info...
your account is a member of the domain admin group...right ?
Open the GPMC ( you might have to point it to your forest/domain )
Under the container called 'Group Policy Objects' you will see one
called 'default domain controller policy'
( !! its important not to confuse this w/ the default domain policy !! )
right click this and select edit.
expand Computer configuration >> Windows settings >> security settings >> local policies >>
now click on 'Audit Policy' >> double click 'Audit Object Access'
Now set that now check 'success' and/or 'failure' based upon what you would like to monitor
Hope this one works for you !
your account is a member of the domain admin group...right ?
Open the GPMC ( you might have to point it to your forest/domain )
Under the container called 'Group Policy Objects' you will see one
called 'default domain controller policy'
( !! its important not to confuse this w/ the default domain policy !! )
right click this and select edit.
expand Computer configuration >> Windows settings >> security settings >> local policies >>
now click on 'Audit Policy' >> double click 'Audit Object Access'
Now set that now check 'success' and/or 'failure' based upon what you would like to monitor
Hope this one works for you !
ASKER
Okay, that worked great. I was able to set the auditing to success or failure. This, I assume, will be for all domain users. Can I limit the auditing to specific users?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Did that explain it ?
ASKER
Excellent assistance! Thank you very much, you saved me a lot of time trying to muddle through this on my own.
thanks!
thanks!
Glad you got it going.
Thanks for the points
Thanks for the points
ASKER