Files Access Auditing - Win Server 2003

Posted on 2009-12-29
Last Modified: 2012-08-14

This shouldn't really be a problem, but for some odd reason, we are having problems enabling file access auditing on one of our Windows machines.

The server is an Active Directory member server. An audit policy has been created on the folder (auditing "everyone" - full control (failed and successful) including all files and subfolders, and having been inherited to the child folders). In addition, failed, and successful object access has been enabled in the local security policy of the machine. No group policys define this value otherwise. The partition on which the folder to to be audited resides is formatted as an NTFS parition.

For everything done on this machine, we get hundreds of log entries. The only problem is, that which we want logged is not being logged - who touched what file and how they accessed it (at least the file name and path are seen nowhere in any entry).

I've done enough troubleshooting, (re)read MSDN articles, etc.
( - it applies for XP, but the method is the same)

Does anyone have any ideas what the problem might be and if there are any other options that affect these settings?
Question by:eSourceONE
    LVL 11

    Expert Comment

    Hello. You have to enable "Audit object access" setting.  Edit the Default Domain Policy (or any other policy that you are applying to the OU where the server is), and go to Computer configuration, windows settings, local policies, audit policy. There you can define what actions will be in the audit logs.

    Author Comment

    Yes, that has been configured through the local security policy.

    Author Comment

    Here are the current settings. Unfortunately, I only have them in German, however, I think they are more or less obvious.

    The LSP settings show that Object Acess is being audited - both successfull, and failed

    The Folder's audit settings show that I am auditing for "everyone" / Full Control / apples to "This folder, subfolders, and files" / The settings have been passed on to child objects by enabling the second checkbox. I have also confirmed that they were inherited to subfolders, files, etc.

    As stated, we are getting thousands of Object Access log entries, however none which contain the file name accessed, who accessed it, and how.
    LVL 4

    Accepted Solution

    Hi eSourceONE,

    I would suggest just audit one particular user on a particular folder to simplify the issue. This will help to see whether audit works or not . To do so:
    1. Enable object access audit policy. Be sure there is no policy that is defined on domain/OU will overwrite the policy we are defining. You can use the command "gpresult /v >gpresult.txt" to verify.

    2. Create a test folder, put some files in it and configure audit on it. We can just audit successful and failed delete of the folder and its sub files and folders.

    3. Save the security log and then delete it.

    4. Delete a file in the test folder. Check the Security log. There will be several events logged and the file name should appear on one of them.

    5. Starting from above you can configure other object access policy. Remember the event ID and next time you want to find out a particular object access, search for that event ID in the Security log.

    Hope this helps!

    Author Comment

    It seems to work now. All I did was to recreate the auditing to a folder next to it, and test auditing my user only. That worked fine, as did the following audit of my user to the initial folder. Finally, I changed it to "everyone" and it works.  The configuration is the same, all checkboxes identical to the way they were before.

    Thanks for your help!

    Author Closing Comment

    The solution was to recreate the auditing, using the same settings as posted in the screenshots.

    Featured Post

    Maximize Your Threat Intelligence Reporting

    Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

    Join & Write a Comment

    Ever notice how you can't use a new drive in Windows without having Windows assigning a Disk Signature?  Ever have a signature collision problem (especially with Virtual Machines?)  This article is intended to help you understand what's going on and…
    Several part series to implement Internet Explorer 11 Enterprise Mode
    This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
    With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now