Has cyber security been a challenge in your government organization? Are you looking to improve your government's network security? Learn more about how to improve your government organization's security by viewing our on-demand webinar!
Folder Level/User Auditing
We had someone or something come in and delete a bunch of our production data last night. I am recovering it, but I wanted to see how to set up a folder level audit so that it records in the Event Viewer.
This is what I am doing:
Log into "Server"
1. Turn the auditing system on. Click Start > Run > gpedit.msc {enter} NB We are in LOCAL policies here DONT define auditing in Domain policy as all your clients event viewers will fill up with junk, and it slows them down.
2. Navigate to "Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\"
3. Double click "Audit Object Access" > Tick Success and Failure > apply > OK
4. Exit the Group policy Editor
5. Navigate to the "share" Folder > right click > properties > security > advanced > auditing
6. DONT click ADD, double click in the "white-space" in the middle of the auditing window.
7. By default the "Everyone" Group is selected, leave it this way unless there is a specific group you want to audit.
8. Select the "actions" you want to audit > OK >OK >OK
Audited Events will now be displayed in the event viewer > security log
I set the folder with the Audit Policy, but for some reason in the Event Viewer all I am getting is "Object Access" category entries. I am looking for more specific things like.
User A deleted this file/folder on whatever date..... Is this even possible?
This is what I am doing:
Log into "Server"
1. Turn the auditing system on. Click Start > Run > gpedit.msc {enter} NB We are in LOCAL policies here DONT define auditing in Domain policy as all your clients event viewers will fill up with junk, and it slows them down.
2. Navigate to "Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\"
3. Double click "Audit Object Access" > Tick Success and Failure > apply > OK
4. Exit the Group policy Editor
5. Navigate to the "share" Folder > right click > properties > security > advanced > auditing
6. DONT click ADD, double click in the "white-space" in the middle of the auditing window.
7. By default the "Everyone" Group is selected, leave it this way unless there is a specific group you want to audit.
8. Select the "actions" you want to audit > OK >OK >OK
Audited Events will now be displayed in the event viewer > security log
I set the folder with the Audit Policy, but for some reason in the Event Viewer all I am getting is "Object Access" category entries. I am looking for more specific things like.
User A deleted this file/folder on whatever date..... Is this even possible?
Who is Participating?
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with Premium.
Start your 7-day free trial.
I wear a lot of hats...
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
Here is my scenario.
I have about 10 servers. On each server of those 10 is a root folder in which users place and process data. I want to be able to view events based off of those root folder in the security tab of each server in which entries will log who created a folder and who deleted a folder, with the user name.
Right now I can only get 3 of the Categories. Object Access, Logon/Logoff, Policy change. I need the Delete or Create category to display with the username who deleted it...
A screen shot is attached.
example.JPG
I have about 10 servers. On each server of those 10 is a root folder in which users place and process data. I want to be able to view events based off of those root folder in the security tab of each server in which entries will log who created a folder and who deleted a folder, with the user name.
Right now I can only get 3 of the Categories. Object Access, Logon/Logoff, Policy change. I need the Delete or Create category to display with the username who deleted it...
A screen shot is attached.
example.JPG
And you can see that the 1 entry has the user name "lauro" that is my username. I would like that for all my users for Create and Delete entries. But I cant seem to accomplish that...
You can use filtering, right click Security log and selectView, Filter... or you can export events in csv format and examine them with Excel.
Experts Exchange Solution brought to you by
Your issues matter to us.
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Start your 7-day free trialIt's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security
From novice to tech pro — start learning today.
-
Microsoft ApplicationsCertification: MOS Microsoft Office Specialist - Word 2016 Part … 174 lessons
-
Microsoft ApplicationsCertification: MOS Microsoft Office Specialist - PowerPoint 2007… 140 lessons
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with Premium.
Start your 7-day free trial.
You have to examine the contents of record. When user deletes an object an event with ID 564 should be recorded.
Toni