Solved

NTFS auditing

Posted on 2012-04-06
2
437 Views
Last Modified: 2012-06-27
Hello,

   I can only find this answer online for Server 2003, need info for Server2008r2. When I turn on Auditing for a file, what event ID do I look for in the security logs to see who made changes. Its funny how al of the articles out there show everytihng but this info.
0
Comment
Question by:entint
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 7

Accepted Solution

by:
BelushiLomax earned 300 total points
ID: 37816007
event id 4656  I believe
0
 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37816129
•New Event IDs for auditing CHANGES
¿Modification of objects: event ID 5136
¦Explicit SACL on object or inheriting SACL on parent container auditing <sec. princ.> for "Successes/Failures" of "<whatever action>" on "<whatever scope>"
¿Creation of objects: event ID 5137
¦Explicit/Inheriting SACL on parent container auditing <sec. princ.> for "Successes/Failures" of "Create specific object-Class" or "Create All Childs" on "This Object and All Descendant Objects"
¿Undelete/reanimation of objects: event ID 5138
¦Explicit SACL on NC head auditing <sec. princ.> for "Successes/Failures" of "Reanimate Tombstone" on "This Object Only"
¦Explicit/Inheriting SACL on target OU auditing <sec. princ.> for "Successes/Failures" of "Create specific object-Class" or "Create All Childs" on "This Object and All Descendant Objects"
¿Moving objects: event ID 5139
¦Explicit/Inheriting SACL on source OU auditing <sec. princ.> for "Successes/Failures" of "Delete specific object-Class" or "Delete All Childs" on "This Object and All Descendant Objects"
¦Explicit/Inheriting SACL on target OU auditing <sec. princ.> for "Successes/Failures" of "Create specific object-Class" or "Create All Childs" on "This Object and All Descendant Objects"


http://blogs.dirteam.com/blogs/jorge/archive/2008/04/29/auditing-in-windows-server-2008.aspx
0

Featured Post

How our DevOps Teams Maximize Uptime

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us. Read the use case whitepaper.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
Ever notice how you can't use a new drive in Windows without having Windows assigning a Disk Signature?  Ever have a signature collision problem (especially with Virtual Machines?)  This article is intended to help you understand what's going on and…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question