• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 556
  • Last Modified:

File/Folder Auditing in Windows Server 2003; Event 560/562 spam

I'm attempting to test auditing out (for files/folders), and I'm bumping into an issue:
I have adjusted the audit object access to Success/Failure under Group Policy, and I've added the OU I want under the folder auditing settings (under security > advanced > auditing). Well, it creates the events just fine; however, any time I refresh the event log or move around in the folder/files specified (under user in OU on client computer), the security log is SPAMMED with 560/562 entries. I'm trying to keep it limited to just what I need (i.e., I don't need 560/562 entries when I refresh the log and if a success or failure occurs 1-2 entries would be ideal).
Please advise.
(Side note: I've disabled "Audit: Audit the access of global system objects" under Local Policies > Security Options.)
0
Amoayed
Asked:
Amoayed
1 Solution
 
Will SzymkowskiSenior Solution ArchitectCommented:
There is another method using ADSIedit to modify the SACL's to stop these events. Have you tried this yet? There is also a COM+ hotfix rollup to correct this behaviour as well.

Take a look at the links below which should help with resolving the issue.

COM+ hotfix

ADSIEdit removal of SACL's

Willl.
0
 
AmoayedAuthor Commented:
ADSIEdit.msc runs nothing, but I'll be applying the COM+ fix this weekend.

Thanks. (Still don't know if this is the fix.)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now