Solved

Auditing Permissions - Server 2003

Posted on 2009-05-10
7
442 Views
Last Modified: 2013-12-04
I have a problem with one server on a domain of 11 Windows 2003 servers.  Since this was migrated from a smaller HP box to the current 'box users have experienced very slow access to files, access denied faults requiring permissions to be reset, folders disappearing, system freezing for > 60sec on attempting to reset permissions.  Random users are affected by all these faults.

I've found a question posted back in 2004 ( See Q_21233866 ) with someone having a similar problem and I've also referred to this issue in my open question ( Q_24382549 ) which is about wiping and resetting the folder share permissions and the NTFS security.

Having reviewed various TechNet pages, I am unclear if turning on NTFS auditing will affect existing permissions.  Please can someone clarify:
1. the steps required to enable NTFS auditing so that I can track which accounts (if any) are triggering these changes to permissions, deleting folders etc.
2. Which actions should be audited for success / failure
3. Confirm that setting the auditing does not change any of the existing granted user share permissions or NTFS security.

Server is Dell PowerEdge 2950, dual quad core cpu, 16GB ram, 2 x 146GB mirrored SAS for system partitiion, 4 x 1 TB Sata Raid 5 data partition, dual teamed 1GB NICs, Windows Server 2003 SP2
0
Comment
Question by:cmdown
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 27

Accepted Solution

by:
bluntTony earned 500 total points
ID: 24348340
Hi, in answer to your questions:

1. You need to configure auditing using either local or group policy on the server. The policy is:

COmputer Configuration | Windows Settings | Security Settings | Local Policies | Audit Policy | 'Audit Object Access'

Set it to Success and Failure. If you've set via a GPO, then force a refresh (gpupdate /force). Then using explorer, go to the file/folder you want to audit, Security Tab | Advanced | Auditing. Add the 'Everyone' group and set the events you want to audit, e.g. 'Change permissions - Success'.

Now when a permission is changed, this should be logged in the Security Event log.

2. See 1. :0)

3. No, auditing will not change the permissions of the file/folder.
0
 
LVL 5

Expert Comment

by:DTAHARLEV
ID: 24348688
auditing won't change anything.
0
 
LVL 1

Author Comment

by:cmdown
ID: 24348689
Hi Tony
Thankyou for your reply.  This server is not a DC and I can't find the local policy snapin.  How & where can I set a policy that applies only to this server and not all the others in the domain ?
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 1

Author Comment

by:cmdown
ID: 24348718
found it !
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24348722
You can get the local policy snap-in by typing gpedit.msc in the Run box.

Either that, or create a group policy, apply it to the OU holding the server, but then use security filtering (Scope tab in the GPMC) to only allow that one server to apply the policy (see the screenshot below of the GPMC). Remove 'Authenticated Users' and add just the computer account for the server (you'll have to tick 'Computer' in Object Types when selecting the computer account.

Probably simpler to apply locally if you can though! Bear in mind that local policy will be overruled by any conflicting group policies applied to the server.
Snap2.jpg
0
 
LVL 1

Author Closing Comment

by:cmdown
ID: 31579897
Thanks Tony.  Have saved and cleared existing log.  Expanded max log size to 128Mb (!) (1,400 users !!) and set logging for change permissions as well as delete files and folders for the drive.  
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24348778
Wise move! It always pay to be careful when applying auditing to ensure that your log files don't get jammed with events.

Glad you got it sorted (or at least on the way to getting it sorted!)
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question