• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 886
  • Last Modified:

Audit file/folders for changes on server 2008 r2

I have found some information regarding file/folder auditing and have come up short.

I want to audit a specific folder on our network for files and folders that have been moved or deleted. The guides that I have looked at tell me to go to administrative tools > local security policy > expand local policies > select audit policy. The option to enable any of the sections is greyed out.
I would need to know how to fix this.


I also need to know how to setup auditing for a certain group - lets say the group is sales or marketing or administrators. When a user who is part of this group(s) moves a file/folder or deletes a file/folder where is the information stored - which log is it and how do I view it so that it makes sense?

Any help would be appreciated.

Thanks

 local policy
0
jchongers71
Asked:
jchongers71
  • 3
  • 3
1 Solution
 
RobSampsonCommented:
Hi, if it's greyed out, I would suspect you have some domain policy that's preventing it from being enabled.  Run RSOP.msc and see what might be affecting those settings.

Also, see here for information on auditing:
http://technet.microsoft.com/en-us/library/dd277403.aspx

There's a section three quarters of the way down that is titled
Enabling and editing Audit on Files and Folders

and it shows adding auditing for specific groups or users.

Regards,

Rob.
0
 
jchongers71Author Commented:
Thanks for the info and link. However the information is for server 2000, I am using 2008 r2.
0
 
jchongers71Author Commented:
Also, when I run RSOP.msc the settings are also greyed out on those screens as well. Is this normal?
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
David Johnson, CD, MVPOwnerCommented:
rsop is the result of the policy it does not allow you to change things..
0
 
RobSampsonCommented:
RSOP won't allow you to change things, but you should see which domain policy has affected the settings.  It should say which policy has configured it....
0
 
jchongers71Author Commented:
I believe what I need to change is Audit Object Access - According to RSOP Audit object access is set to No auditing, Source GPO = Default Domain Controllers Policy.

whats the next step?
0
 
RobSampsonCommented:
If your Default Domain Contollers policy is setting it to No Auditing, you will need to get it changed to what you need.  If the Domain Controllers policy is in effect, does that mean you want to set up auditing *on* a domain controller? I'm not sure of the impact auditing would have on a domain controller, but you won't want to consume too many system resources on it....

There's more information here:
http://technet.microsoft.com/en-us/library/cc771395(WS.10).aspx

Regards,

Rob.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now