• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2037
  • Last Modified:

Files Access Auditing - Win Server 2003

Hello,

This shouldn't really be a problem, but for some odd reason, we are having problems enabling file access auditing on one of our Windows machines.

The server is an Active Directory member server. An audit policy has been created on the folder (auditing "everyone" - full control (failed and successful) including all files and subfolders, and having been inherited to the child folders). In addition, failed, and successful object access has been enabled in the local security policy of the machine. No group policys define this value otherwise. The partition on which the folder to to be audited resides is formatted as an NTFS parition.

For everything done on this machine, we get hundreds of log entries. The only problem is, that which we want logged is not being logged - who touched what file and how they accessed it (at least the file name and path are seen nowhere in any entry).

I've done enough troubleshooting, (re)read MSDN articles, etc.
(http://support.microsoft.com/kb/310399/en-us - it applies for XP, but the method is the same)

Does anyone have any ideas what the problem might be and if there are any other options that affect these settings?
0
eSourceONE
Asked:
eSourceONE
  • 4
1 Solution
 
enriquecadalsoCommented:
Hello. You have to enable "Audit object access" setting.  Edit the Default Domain Policy (or any other policy that you are applying to the OU where the server is), and go to Computer configuration, windows settings, local policies, audit policy. There you can define what actions will be in the audit logs.
0
 
eSourceONEAuthor Commented:
Yes, that has been configured through the local security policy.
0
 
eSourceONEAuthor Commented:
Here are the current settings. Unfortunately, I only have them in German, however, I think they are more or less obvious.

The LSP settings show that Object Acess is being audited - both successfull, and failed

The Folder's audit settings show that I am auditing for "everyone" / Full Control / apples to "This folder, subfolders, and files" / The settings have been passed on to child objects by enabling the second checkbox. I have also confirmed that they were inherited to subfolders, files, etc.

As stated, we are getting thousands of Object Access log entries, however none which contain the file name accessed, who accessed it, and how.
LSP.PNG
Audit-Settings.PNG
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
hshaoCommented:
Hi eSourceONE,

I would suggest just audit one particular user on a particular folder to simplify the issue. This will help to see whether audit works or not . To do so:
1. Enable object access audit policy. Be sure there is no policy that is defined on domain/OU will overwrite the policy we are defining. You can use the command "gpresult /v >gpresult.txt" to verify.

2. Create a test folder, put some files in it and configure audit on it. We can just audit successful and failed delete of the folder and its sub files and folders.

3. Save the security log and then delete it.

4. Delete a file in the test folder. Check the Security log. There will be several events logged and the file name should appear on one of them.

5. Starting from above you can configure other object access policy. Remember the event ID and next time you want to find out a particular object access, search for that event ID in the Security log.

Hope this helps!
0
 
eSourceONEAuthor Commented:
It seems to work now. All I did was to recreate the auditing to a folder next to it, and test auditing my user only. That worked fine, as did the following audit of my user to the initial folder. Finally, I changed it to "everyone" and it works.  The configuration is the same, all checkboxes identical to the way they were before.

Thanks for your help!
0
 
eSourceONEAuthor Commented:
The solution was to recreate the auditing, using the same settings as posted in the screenshots.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now