Solved

File/Folder Auditing in Windows Server 2003; Event 560/562 spam

Posted on 2014-01-23
2
533 Views
Last Modified: 2014-02-14
I'm attempting to test auditing out (for files/folders), and I'm bumping into an issue:
I have adjusted the audit object access to Success/Failure under Group Policy, and I've added the OU I want under the folder auditing settings (under security > advanced > auditing). Well, it creates the events just fine; however, any time I refresh the event log or move around in the folder/files specified (under user in OU on client computer), the security log is SPAMMED with 560/562 entries. I'm trying to keep it limited to just what I need (i.e., I don't need 560/562 entries when I refresh the log and if a success or failure occurs 1-2 entries would be ideal).
Please advise.
(Side note: I've disabled "Audit: Audit the access of global system objects" under Local Policies > Security Options.)
0
Comment
Question by:Amoayed
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 300 total points
ID: 39806494
There is another method using ADSIedit to modify the SACL's to stop these events. Have you tried this yet? There is also a COM+ hotfix rollup to correct this behaviour as well.

Take a look at the links below which should help with resolving the issue.

COM+ hotfix

ADSIEdit removal of SACL's

Willl.
0
 

Author Closing Comment

by:Amoayed
ID: 39859812
ADSIEdit.msc runs nothing, but I'll be applying the COM+ fix this weekend.

Thanks. (Still don't know if this is the fix.)
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
A hard and fast method for reducing Active Directory Administrators members.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question