I have been asked to setup auditing so we have security logs for each time a folders permission are modified. I have done research and followed the steps below
1. Define the group policy “Audit object access” to audit the attemps “Success” or “Failure” for the target computer.
a. Open the computer local group policy (gpedit.msc) or Create a GPO link it to the target computer OU. (gpmc.msc).
b. Expand the group policy to [Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit object access]
c. Double click “Audit object access”, tick on the option “Define these policy settings”.
d. Select both “Success” and “Failure”, click OK.
e. Run “gpudate /force” on the target computer if you choose the GPO deployment.
2. Enbale the auditing changes on the target NTFS file of folder level.
a. go to the file or folder properties-> security->Advanced->auditing tab
b. Click on Add and Add Everyone
c. Under apply to make sure This Folder, Sub Folders and Files is selected
d. Click to check the check boxes for Change permissions both “successful” and “failed”.
The problem is that when I follow these steps, I am bombarded with events, like thousands. All events have a task Category of 'Detailed File Share.' I understand that this would be the expected traffic if I was auditing everytime a file\folder was accessed, but I am only interested in the permission changes. Can anyone help?!
BTW: I am setting this up and a 2008r2 File Server.