• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 417
  • Last Modified:

Auditing - RSOP

We just setup a new GPO and enabled auditing on a couple of our servers.  My question really is how do I verify/test this is working properly.  We wanted to document/audit when certain changes occur on the network such as; modification of folders, who logs onto one of these servers and the normal auditing in general.  As a test, I wanted to login to each server, but don't know where I would view/verify each server log in order to make sure this auting is correct.

Lastly, even if auditing is correct, is there a way to get even more granular?  There is one 2003 server and one 2008 R2 server.
1 Solution
Mike KlineCommented:
You would check the security event logs.   2008 R2 supports advanced audit config which can let you get more granular.

Do you have a test lab.  You can test this out in a lab and get comfortable.


SandeshdubeySenior Server EngineerCommented:
In order to audit you need to first enable audit policy for audit object access on the OU where all PC are placed or in default Domain Policy.

Refer below link:

I would also recommend to enable minimal audit setting on files and folder as this will create strom of events.Auditing can generate a large amount of data.Because the security log is limited in size, select the files and folders to be audited carefully. Also, consider the amount of disk space that you want to devote to the security log. The maximum size for the security log is defined in Event Viewer.

You need to check event log to track the activities carried out by users.If file is deleted event id 560(Win2003) is logged in security log.

You also need to enable audit account logon events to tack the logon and account management see this for auditing:
AD DS Auditing Step-by-Step Guidehttp://technet.microsoft.com/en-us/library/cc731607(v=ws.10).aspx

You can set use Eventtriggers.exe to send e-mail based on Event IDs for certain critcal event ids:

Getting event log contents by email on an event log trigger
You can also Set up event subscriptions in Windows 2008 to collectthe event.

Hope this helps
uppercut7141Author Commented:
I checked the Event Viewer and received the following Event ID's when I logged/logged off the server as well as making a modication of permission on a specific folder:

4672  -- when I logged onto server

4647, 4634 - when I logged off server

When I added rights to a specific folder for a user, I received event ID:  

4673  -- A priviledged service was called
4688  -- Process creation

does this appear correct?  I was expecting more information from Event viewer.
Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

uppercut7141Author Commented:
Any thoughts on this?
Mike KlineCommented:
Yes those are correct, this is a very hand spreadsheet to have that lists all the events



In Windows Server 2008 there is a possibility to audit changes in Active Directory.

Check out the Link

AD DS Auditing Step-by-Step Guide

 They are audited as events in Security event log as recommended  by mkline71 also you can go for Ad Auditing tool as well for the documentation purpose as these tool have functionality to give a regular report in your desired format for verification purpose
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now