Windows Server 2008 R2 file server. Sensitive share is published to DFS and is available when users type a UNC path in explorer.
Acess Base Enumeration is enabled.
We enabled Advance Auditing via GPO, ran gpupdate, configured Auditng on the top-level folder of the protected share at the file server - "Everyone" - "This folder, subfolders, files" - "Successful" and "Failed" for all accesses.
We began seeing a large volume of data in the "Security" event log.
We went back and unchecked all "Successful" items and retained just a few "Failed" items ("Traverse Folder", "List Folder", "Read Permissions", etc).
Now, we are getting no events recorded when we test accessing the object with an unauthorized account.
Question: In this protected share, although we have have Access-Based Enumeration enabled, we want to determine when an unauthorized user might try to access a folder, either by trying to access the top level folder, or by entering an complete UNC path for a subfolder.
What configurations must be made, both the the GPO as well as the folder security settings in order to track/audit just those attempts by unauthorized memeber to access any part of this proctected folder?