• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 560
  • Last Modified:

File/Folder Auditing in Windows Server 2003; Event 560/562 spam

I'm attempting to test auditing out (for files/folders), and I'm bumping into an issue:
I have adjusted the audit object access to Success/Failure under Group Policy, and I've added the OU I want under the folder auditing settings (under security > advanced > auditing). Well, it creates the events just fine; however, any time I refresh the event log or move around in the folder/files specified (under user in OU on client computer), the security log is SPAMMED with 560/562 entries. I'm trying to keep it limited to just what I need (i.e., I don't need 560/562 entries when I refresh the log and if a success or failure occurs 1-2 entries would be ideal).
Please advise.
(Side note: I've disabled "Audit: Audit the access of global system objects" under Local Policies > Security Options.)
0
Amoayed
Asked:
Amoayed
1 Solution
 
Will SzymkowskiSenior Solution ArchitectCommented:
There is another method using ADSIedit to modify the SACL's to stop these events. Have you tried this yet? There is also a COM+ hotfix rollup to correct this behaviour as well.

Take a look at the links below which should help with resolving the issue.

COM+ hotfix

ADSIEdit removal of SACL's

Willl.
0
 
AmoayedAuthor Commented:
ADSIEdit.msc runs nothing, but I'll be applying the COM+ fix this weekend.

Thanks. (Still don't know if this is the fix.)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now