I am trying to configure my file server for object access auditing, I want to only audit when someone deletes a folder in a few shares. I decided to not bother with individual files as to not collect too many entries in the logs.
This is what I did:
1. Placed the file server under its own OU
2. Configured a GP just for that OU and enabled the following:
Under Advanced Audit Policy Configuration:
Object Access>Audit Detailed File Share - Failure
Object Access>Audit File Share - Failure
Object Access>Audit File System - Success and failure
Then I went to the share I want to monitor and enabled auditing for:
Everyone - Delete - Successful and Failed, and under "Apply onto:" I chose This folder and subfolders
This is all I configured.
However, I get a ton of events 4659 in the security logs and they say "A handle to an object was requested with intent to delete."
When I search what this is related to I don't find much but it appears to be related to Kernel Object audits.
I do not have that enabled.
I am also getting events 4663 which seem to be related to SAM auditing, which I am also not doing.
Does anybody know why I am getting these events logged and how I can stop them?
I don't my logs bogged down with useless events.
Thanks a lot.