I am in the process of enabling file system auditing on a SBS 2003 server for a client and I have run into a small problem. I have created a new group policy that add the audit of success and failure of object access and ensured that it has been applied to the server using RSoP. I enabled auditing on a test folder and created some files, saved changes to the files and then went to the security log to make sure things were working as expected. However, what I found was that the Exchange process store.exe was unexpectedly generating a large amount of events as well. Here is a copy of one of the events I get:
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 562
Time: 9:15:25 AM
User: NT AUTHORITY\SYSTEM
Object Server: Microsoft Exchange
Handle ID: 287640912
Process ID: 6652
Image File Name: C:\Program Files\Exchsrvr\bin\store.exe
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
There are sometimes about 15 of these generated within a minute. I suspect that there is a audit ACL on a file/folder that store.exe uses, but the event does not provide any information that I can use to find the file/folder.