We had someone or something come in and delete a bunch of our production data last night. I am recovering it, but I wanted to see how to set up a folder level audit so that it records in the Event Viewer.
This is what I am doing:
Log into "Server"
1. Turn the auditing system on. Click Start > Run > gpedit.msc {enter} NB We are in LOCAL policies here DONT define auditing in Domain policy as all your clients event viewers will fill up with junk, and it slows them down.
2. Navigate to "Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\"
3. Double click "Audit Object Access" > Tick Success and Failure > apply > OK
4. Exit the Group policy Editor
5. Navigate to the "share" Folder > right click > properties > security > advanced > auditing
6. DONT click ADD, double click in the "white-space" in the middle of the auditing window.
7. By default the "Everyone" Group is selected, leave it this way unless there is a specific group you want to audit.
8. Select the "actions" you want to audit > OK >OK >OK
Audited Events will now be displayed in the event viewer > security log
I set the folder with the Audit Policy, but for some reason in the Event Viewer all I am getting is "Object Access" category entries. I am looking for more specific things like.
User A deleted this file/folder on whatever date..... Is this even possible?