I want to audit when any users read or write to a specific folder. I opened up my Local Security Policy editor and enabled both Success and Failure for the "Audit Object Access" setting.
Now I *DID NOT* go enable auditing on the folder I'm interested in yet! I simply went into the Security Log and found thousands of entries for the SYSTEM account accessing objects. The log was flooded within minutes and kept growing and growing.
What's going on here? Shouldn't I have to turn on auditing for a specific object (i.e. a folder) before anything gets audited?
What is the system looking at here...??? Thoughts?