Solved

File and Folder Auditing via Group Policy (GPO)

Posted on 2014-10-07
14
953 Views
Last Modified: 2014-10-10
In a Windows 2008 Active Directory Domain, I am trying to set /enable auditing on all computers (Default Domain Policy) for directories:

%SystemRoot%\system
%SystemRoot%\System32\drivers
%SystemRoot%\System32\wbem

Audit Settings are to track the "Everyone" group for:
create file / write data – Successful
create folders / append data - Successful

for "This Folder Only".

On gpupdate /force, the following appears in the winlogon.log:

----Configure File Security...
        Configure c:\windows\system.
Warning 5: Access is denied.
        Error setting security on c:\windows\system.
        Configure c:\windows\system32\drivers.
Warning 5: Access is denied.
        Error setting security on c:\windows\system32\drivers.
        Configure c:\windows\system32\wbem.
Warning 5: Access is denied.
        Error setting security on c:\windows\system32\wbem.

        File Security configuration was completed successfully.

I've searched here and on various Technet /MS Social sites and so far the only hint I've gotten is that it _might_ be related to UAC.

However, thus far no replies have actually offered up a solution as to how to accomplish this without having to touch _every_ PC in the organization one-by-one.

I look forward to thoughts and discussion around this topic and can only hope for a solution.
0
Comment
Question by:Ed_V
  • 8
  • 6
14 Comments
 
LVL 53

Expert Comment

by:McKnife
ID: 40366919
The audit settings are propagated how?
This would be done using file system ACLs in GPOs as shown here: Screenshot
Is this how you do it?
0
 

Author Comment

by:Ed_V
ID: 40367034
Indeed yes...

Main GPO Editor:

GPEdit-config
Individual item details:

Properties:

system audit properties
Audit Entry:

System audit
Audit Tab:

Audit Tab
Resultant policy at a member workstation (Win 7 x64):

workstation results
So the command line result as posted is accurate (I've added some that work as expected) to wit:

----Configure File Security...
        Configure c:\programdata.
        Configure c:\windows.
        Configure c:\windows\system.
Warning 5: Access is denied.
        Error setting security on c:\windows\system.
        Configure c:\windows\system32\config\systemprofile\appdata\local.
        Configure c:\windows\system32\config\systemprofile\appdata\locallow.
        Configure c:\windows\system32\config\systemprofile\appdata\roaming.
        Configure c:\windows\system32\drivers.
Warning 5: Access is denied.
        Error setting security on c:\windows\system32\drivers.
        Configure c:\windows\system32\wbem.
Warning 5: Access is denied.
        Error setting security on c:\windows\system32\wbem.

        File Security configuration was completed successfully.
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 500 total points
ID: 40369005
Ok...
I am tempted to reproduce, but could you first try and see what happens if you start a shell as system (psexec -s -I cmd) and then inside do the same using subinacl as shown here: http://social.technet.microsoft.com/Forums/windowsserver/en-US/4357bebc-a2bf-45bb-8ce1-1dc8f7adcbc2/command-to-set-modify-advanced-security-settings-audit-settings-for-folders-on-windows-2008?forum=winservergen
Does that work?
0
 

Author Comment

by:Ed_V
ID: 40369204
Thank you for the pointer to subinacl.

Promising tool, but the granularity /specificity doesn't seem to be there.

The below was done with a command prompt run as "psexec -s cmd" as the "psexec -s -l cmd" returned "cmd exited with error code -1073741502."

With a manual set via the GUI, SubInACL tells me:

subinacl /noverbose /file c:\Windows\system

========================
+File c:\Windows\system
========================
/control=0x3c00
/owner             =trustedinstaller
/primary group     =trustedinstaller
/audit ace count   =1
/aace =everyone  Type=0x2 Flags=0xc0 AccessMask=0x10046

or from the GUI:

pre-subinacl
The closest I seem to be able to come with the SubInACL tool is:

D:\>subinacl /outputlog=testsia.log /onlyfile C:\Windows\system\ /sgrant=Everyone=W

Elapsed Time: 00 00:00:00
Done:        1, Modified        1, Failed        0, Syntax errors        0
Last Done  : C:\Windows\system\

which produces:

subinacl /noverbose /file c:\Windows\system

========================
+File c:\Windows\system
========================
/control=0x3c00
/owner             =trustedinstaller
/primary group     =trustedinstaller
/audit ace count   =2
/aace =everyone  Type=0x2 Flags=0x49 AccessMask=0xf01bf
/aace =everyone  Type=0x2 Flags=0x42 AccessMask=0xf01bf

from the GUI, this is:

post-subinacl
Not quite the same, and I don't see an option in SubInACL to set the audit type to "0xc0".

Hoping I missed something here, but it doesn't seem that way...
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40369377
Ok, one step back, please:
psexec -s -I cmd
it's not an L, it's an I (or i).

Please retry.
0
 

Author Comment

by:Ed_V
ID: 40369427
That does make a difference (doggone sans-serif fonts...).

OK running as "-i -s", it did work and the new CMD window popped.

D:\>whoami
nt authority\system

D:\>subinacl /noverbose /file C:\Windows\system

========================
+File C:\Windows\system
========================
/control=0x3c00
/owner             =trustedinstaller
/primary group     =trustedinstaller
/audit ace count   =1
/aace =everyone  Type=0x2 Flags=0x40 AccessMask=0x6
/perm. ace count   =9
/pace =trustedinstaller  Type=0x0 Flags=0x0 AccessMask=0x1f01ff
/pace =trustedinstaller  Type=0x0 Flags=0xa AccessMask=0x10000000
/pace =nt authority\system  Type=0x0 Flags=0x0 AccessMask=0x1301bf
/pace =nt authority\system  Type=0x0 Flags=0xb AccessMask=0x10000000
/pace =builtin\administrators  Type=0x0 Flags=0x0 AccessMask=0x1301bf
/pace =builtin\administrators  Type=0x0 Flags=0xb AccessMask=0x10000000
/pace =builtin\users  Type=0x0 Flags=0x0 AccessMask=0x1200a9
/pace =builtin\users  Type=0x0 Flags=0xb AccessMask=0xa0000000
/pace =creator owner  Type=0x0 Flags=0xb AccessMask=0x10000000


Elapsed Time: 00 00:00:00
Done:        1, Modified        0, Failed        0, Syntax errors        0
Last Done  : C:\Windows\system

Open in new window


Slightly different flags showing, but the GUI is still accurate to what I want to achieve (as above).

From the "/help" option, I see that the "Successfull Audit" options are:

/sgrant=[DomainName\]User[=Access]

     will add a Successfull (Allow) Audit Ace for the user and remove all existing
     Audit Ace for this user(or group).
     if Access is not specified, the Full Control access mask will be used.
     Ex: SubInacl /file c:\windows\explorer.exe /sgrant=everyone=R
         will set the audit for everyone's successful access

     File:
       F : Full Control
       C : Change
       R : Read
       P : Change Permissions
       O : Take Ownership
       X : eXecute
       E : Read eXecute
       W : Write
       D : Delete

So, to execute I used:

D:\>subinacl /onlyfile C:\Windows\system /sgrant=Everyone=W
C:\Windows\system : delete Audit ACE 0 \everyone
C:\Windows\system : new ace for \everyone
C:\Windows\system : new ace for \everyone
C:\Windows\system : 3 change(s)


Elapsed Time: 00 00:00:00
Done:        1, Modified        1, Failed        0, Syntax errors        0
Last Done  : C:\Windows\system

Open in new window


Which resulted in:

D:\>subinacl /noverbose /file C:\Windows\system

========================
+File C:\Windows\system
========================
/control=0x3c00
/owner             =trustedinstaller
/primary group     =trustedinstaller
/audit ace count   =2
/aace =everyone  Type=0x2 Flags=0x49 AccessMask=0x301bf
/aace =everyone  Type=0x2 Flags=0x42 AccessMask=0x301bf
/perm. ace count   =9
/pace =trustedinstaller  Type=0x0 Flags=0x0 AccessMask=0x1f01ff
/pace =trustedinstaller  Type=0x0 Flags=0xa AccessMask=0x10000000
/pace =nt authority\system  Type=0x0 Flags=0x0 AccessMask=0x1301bf
/pace =nt authority\system  Type=0x0 Flags=0xb AccessMask=0x10000000
/pace =builtin\administrators  Type=0x0 Flags=0x0 AccessMask=0x1301bf
/pace =builtin\administrators  Type=0x0 Flags=0xb AccessMask=0x10000000
/pace =builtin\users  Type=0x0 Flags=0x0 AccessMask=0x1200a9
/pace =builtin\users  Type=0x0 Flags=0xb AccessMask=0xa0000000
/pace =creator owner  Type=0x0 Flags=0xb AccessMask=0x10000000


Elapsed Time: 00 00:00:00
Done:        1, Modified        0, Failed        0, Syntax errors        0
Last Done  : C:\Windows\system

Open in new window


Same result as last time, showing extra options in the GUI and not restricting itself to "This folder only".

Thanks again for the ongoing help!
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40369481
To hit only c:\windows\system, use
subinacl.exe /file=directoriesonly C:\Windows\system /sgrant=Everyone=W

Open in new window

0
 
LVL 53

Accepted Solution

by:
McKnife earned 500 total points
ID: 40369503
By the way, I was tempted to test it, the GPO, I mean, and it worked on c:\windows\system
Client is 8.1, DC is 2012 R2.
0
 

Author Comment

by:Ed_V
ID: 40370984
Well darn.  I must have something odd in my A/D setup and configuration since the GPO steadfastly refuses to work as expected and the SubInACL command refuses to set audit on _only_ the referred folder (at least for 2008R2 DC and Win 7 clients).

Maybe once we upgrade to 2012 (expected sometime in 2016 - we're a corporation and don't necessarily stay on the bleeding edge), it will work as documented.

Output from your directive above:

========================
+File C:\Windows\system
========================
/control=0x3c00
/owner             =trustedinstaller
/primary group     =trustedinstaller
/audit ace count   =2
/aace =everyone  Type=0x2 Flags=0x49 AccessMask=0x20116
/aace =everyone  Type=0x2 Flags=0x42 AccessMask=0x20116
/perm. ace count   =9

which in the GUI sets auditing for "This folder, subfolders and files" along with Successful audit flags for Create files, Create folders, Write attributes, Write extended and Read attributes.

All I need is the two "Create" access options.

Ah well, it was worth the question and I appreciate your help!

I'll accept the solution, but if you think of anything else, please don't hesitate to add to the thread.

Thanks again.
0
 

Author Closing Comment

by:Ed_V
ID: 40370992
The rapid assistance was greatly appreciated - even though it seems to be a mismatch between Microsoft documentation and the actual capability of the systems in question that is the root culprit.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40371191
I think the error is on your side, rather than in the systems, could it be just small mistakes?
If you setup auditing through GPO just as you documented, it will work. If it doesn't for you, I bet it's not the DC version nor the client version. If you like, I can setup a test machine with win7 or whatever client you use (?) and see what happens. Our DCs are 2008.

About subinacl: this has to work. Be sure that you removed the inheritance manually prior to use the command.
0
 

Author Comment

by:Ed_V
ID: 40371453
If so, they're really small and repeated attempts with the changes you suggested above don't seem to make any difference in outcome.

And it's not that SubInACL doesn't work, it's that it is not granular enough - the "single letter" options available as flags select too much and from what I can see (and read in multiple posts on Social.Microsoft), the behavior of setting "This folder, subfolders and files" is default for SubInACL and any means of changing this has not yet been discovered.

As a last gasp effort on my part, I cleared _all_ audit settings from the C:\Windows\system folder and re-applied with SubInACL using the last set of flags you recommended.

Still the same result...

We do use 2008R2 as DCs and have Win 7 clients - if you want to test, I'll be open to what you find, but you've spent some time on this already and I don't want to plague you further if you're frustrated with my lack of success.

Thanks again.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40371524
Tried it at home (DC= 2012 R2) with a win7 x64 - works as expected, both through GPO and subinacl. No idea what is wrong at your side. Will try with 2008 as DC tomorrow.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40372838
Tried it.

Works as expected via GPO. Everything perfect.
0

Join & Write a Comment

Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now