File and Folder Auditing via Group Policy (GPO)

In a Windows 2008 Active Directory Domain, I am trying to set /enable auditing on all computers (Default Domain Policy) for directories:

%SystemRoot%\system
%SystemRoot%\System32\drivers
%SystemRoot%\System32\wbem

Audit Settings are to track the "Everyone" group for:
create file / write data – Successful
create folders / append data - Successful

for "This Folder Only".

On gpupdate /force, the following appears in the winlogon.log:

----Configure File Security...
        Configure c:\windows\system.
Warning 5: Access is denied.
        Error setting security on c:\windows\system.
        Configure c:\windows\system32\drivers.
Warning 5: Access is denied.
        Error setting security on c:\windows\system32\drivers.
        Configure c:\windows\system32\wbem.
Warning 5: Access is denied.
        Error setting security on c:\windows\system32\wbem.

        File Security configuration was completed successfully.

I've searched here and on various Technet /MS Social sites and so far the only hint I've gotten is that it _might_ be related to UAC.

However, thus far no replies have actually offered up a solution as to how to accomplish this without having to touch _every_ PC in the organization one-by-one.

I look forward to thoughts and discussion around this topic and can only hope for a solution.
Ed_VAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

McKnifeCommented:
The audit settings are propagated how?
This would be done using file system ACLs in GPOs as shown here: Screenshot
Is this how you do it?
0
Ed_VAuthor Commented:
Indeed yes...

Main GPO Editor:

GPEdit-config
Individual item details:

Properties:

system audit properties
Audit Entry:

System audit
Audit Tab:

Audit Tab
Resultant policy at a member workstation (Win 7 x64):

workstation results
So the command line result as posted is accurate (I've added some that work as expected) to wit:

----Configure File Security...
        Configure c:\programdata.
        Configure c:\windows.
        Configure c:\windows\system.
Warning 5: Access is denied.
        Error setting security on c:\windows\system.
        Configure c:\windows\system32\config\systemprofile\appdata\local.
        Configure c:\windows\system32\config\systemprofile\appdata\locallow.
        Configure c:\windows\system32\config\systemprofile\appdata\roaming.
        Configure c:\windows\system32\drivers.
Warning 5: Access is denied.
        Error setting security on c:\windows\system32\drivers.
        Configure c:\windows\system32\wbem.
Warning 5: Access is denied.
        Error setting security on c:\windows\system32\wbem.

        File Security configuration was completed successfully.
0
McKnifeCommented:
Ok...
I am tempted to reproduce, but could you first try and see what happens if you start a shell as system (psexec -s -I cmd) and then inside do the same using subinacl as shown here: http://social.technet.microsoft.com/Forums/windowsserver/en-US/4357bebc-a2bf-45bb-8ce1-1dc8f7adcbc2/command-to-set-modify-advanced-security-settings-audit-settings-for-folders-on-windows-2008?forum=winservergen
Does that work?
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Ed_VAuthor Commented:
Thank you for the pointer to subinacl.

Promising tool, but the granularity /specificity doesn't seem to be there.

The below was done with a command prompt run as "psexec -s cmd" as the "psexec -s -l cmd" returned "cmd exited with error code -1073741502."

With a manual set via the GUI, SubInACL tells me:

subinacl /noverbose /file c:\Windows\system

========================
+File c:\Windows\system
========================
/control=0x3c00
/owner             =trustedinstaller
/primary group     =trustedinstaller
/audit ace count   =1
/aace =everyone  Type=0x2 Flags=0xc0 AccessMask=0x10046

or from the GUI:

pre-subinacl
The closest I seem to be able to come with the SubInACL tool is:

D:\>subinacl /outputlog=testsia.log /onlyfile C:\Windows\system\ /sgrant=Everyone=W

Elapsed Time: 00 00:00:00
Done:        1, Modified        1, Failed        0, Syntax errors        0
Last Done  : C:\Windows\system\

which produces:

subinacl /noverbose /file c:\Windows\system

========================
+File c:\Windows\system
========================
/control=0x3c00
/owner             =trustedinstaller
/primary group     =trustedinstaller
/audit ace count   =2
/aace =everyone  Type=0x2 Flags=0x49 AccessMask=0xf01bf
/aace =everyone  Type=0x2 Flags=0x42 AccessMask=0xf01bf

from the GUI, this is:

post-subinacl
Not quite the same, and I don't see an option in SubInACL to set the audit type to "0xc0".

Hoping I missed something here, but it doesn't seem that way...
0
McKnifeCommented:
Ok, one step back, please:
psexec -s -I cmd
it's not an L, it's an I (or i).

Please retry.
0
Ed_VAuthor Commented:
That does make a difference (doggone sans-serif fonts...).

OK running as "-i -s", it did work and the new CMD window popped.

D:\>whoami
nt authority\system

D:\>subinacl /noverbose /file C:\Windows\system

========================
+File C:\Windows\system
========================
/control=0x3c00
/owner             =trustedinstaller
/primary group     =trustedinstaller
/audit ace count   =1
/aace =everyone  Type=0x2 Flags=0x40 AccessMask=0x6
/perm. ace count   =9
/pace =trustedinstaller  Type=0x0 Flags=0x0 AccessMask=0x1f01ff
/pace =trustedinstaller  Type=0x0 Flags=0xa AccessMask=0x10000000
/pace =nt authority\system  Type=0x0 Flags=0x0 AccessMask=0x1301bf
/pace =nt authority\system  Type=0x0 Flags=0xb AccessMask=0x10000000
/pace =builtin\administrators  Type=0x0 Flags=0x0 AccessMask=0x1301bf
/pace =builtin\administrators  Type=0x0 Flags=0xb AccessMask=0x10000000
/pace =builtin\users  Type=0x0 Flags=0x0 AccessMask=0x1200a9
/pace =builtin\users  Type=0x0 Flags=0xb AccessMask=0xa0000000
/pace =creator owner  Type=0x0 Flags=0xb AccessMask=0x10000000


Elapsed Time: 00 00:00:00
Done:        1, Modified        0, Failed        0, Syntax errors        0
Last Done  : C:\Windows\system

Open in new window


Slightly different flags showing, but the GUI is still accurate to what I want to achieve (as above).

From the "/help" option, I see that the "Successfull Audit" options are:

/sgrant=[DomainName\]User[=Access]

     will add a Successfull (Allow) Audit Ace for the user and remove all existing
     Audit Ace for this user(or group).
     if Access is not specified, the Full Control access mask will be used.
     Ex: SubInacl /file c:\windows\explorer.exe /sgrant=everyone=R
         will set the audit for everyone's successful access

     File:
       F : Full Control
       C : Change
       R : Read
       P : Change Permissions
       O : Take Ownership
       X : eXecute
       E : Read eXecute
       W : Write
       D : Delete

So, to execute I used:

D:\>subinacl /onlyfile C:\Windows\system /sgrant=Everyone=W
C:\Windows\system : delete Audit ACE 0 \everyone
C:\Windows\system : new ace for \everyone
C:\Windows\system : new ace for \everyone
C:\Windows\system : 3 change(s)


Elapsed Time: 00 00:00:00
Done:        1, Modified        1, Failed        0, Syntax errors        0
Last Done  : C:\Windows\system

Open in new window


Which resulted in:

D:\>subinacl /noverbose /file C:\Windows\system

========================
+File C:\Windows\system
========================
/control=0x3c00
/owner             =trustedinstaller
/primary group     =trustedinstaller
/audit ace count   =2
/aace =everyone  Type=0x2 Flags=0x49 AccessMask=0x301bf
/aace =everyone  Type=0x2 Flags=0x42 AccessMask=0x301bf
/perm. ace count   =9
/pace =trustedinstaller  Type=0x0 Flags=0x0 AccessMask=0x1f01ff
/pace =trustedinstaller  Type=0x0 Flags=0xa AccessMask=0x10000000
/pace =nt authority\system  Type=0x0 Flags=0x0 AccessMask=0x1301bf
/pace =nt authority\system  Type=0x0 Flags=0xb AccessMask=0x10000000
/pace =builtin\administrators  Type=0x0 Flags=0x0 AccessMask=0x1301bf
/pace =builtin\administrators  Type=0x0 Flags=0xb AccessMask=0x10000000
/pace =builtin\users  Type=0x0 Flags=0x0 AccessMask=0x1200a9
/pace =builtin\users  Type=0x0 Flags=0xb AccessMask=0xa0000000
/pace =creator owner  Type=0x0 Flags=0xb AccessMask=0x10000000


Elapsed Time: 00 00:00:00
Done:        1, Modified        0, Failed        0, Syntax errors        0
Last Done  : C:\Windows\system

Open in new window


Same result as last time, showing extra options in the GUI and not restricting itself to "This folder only".

Thanks again for the ongoing help!
0
McKnifeCommented:
To hit only c:\windows\system, use
subinacl.exe /file=directoriesonly C:\Windows\system /sgrant=Everyone=W

Open in new window

0
McKnifeCommented:
By the way, I was tempted to test it, the GPO, I mean, and it worked on c:\windows\system
Client is 8.1, DC is 2012 R2.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ed_VAuthor Commented:
Well darn.  I must have something odd in my A/D setup and configuration since the GPO steadfastly refuses to work as expected and the SubInACL command refuses to set audit on _only_ the referred folder (at least for 2008R2 DC and Win 7 clients).

Maybe once we upgrade to 2012 (expected sometime in 2016 - we're a corporation and don't necessarily stay on the bleeding edge), it will work as documented.

Output from your directive above:

========================
+File C:\Windows\system
========================
/control=0x3c00
/owner             =trustedinstaller
/primary group     =trustedinstaller
/audit ace count   =2
/aace =everyone  Type=0x2 Flags=0x49 AccessMask=0x20116
/aace =everyone  Type=0x2 Flags=0x42 AccessMask=0x20116
/perm. ace count   =9

which in the GUI sets auditing for "This folder, subfolders and files" along with Successful audit flags for Create files, Create folders, Write attributes, Write extended and Read attributes.

All I need is the two "Create" access options.

Ah well, it was worth the question and I appreciate your help!

I'll accept the solution, but if you think of anything else, please don't hesitate to add to the thread.

Thanks again.
0
Ed_VAuthor Commented:
The rapid assistance was greatly appreciated - even though it seems to be a mismatch between Microsoft documentation and the actual capability of the systems in question that is the root culprit.
0
McKnifeCommented:
I think the error is on your side, rather than in the systems, could it be just small mistakes?
If you setup auditing through GPO just as you documented, it will work. If it doesn't for you, I bet it's not the DC version nor the client version. If you like, I can setup a test machine with win7 or whatever client you use (?) and see what happens. Our DCs are 2008.

About subinacl: this has to work. Be sure that you removed the inheritance manually prior to use the command.
0
Ed_VAuthor Commented:
If so, they're really small and repeated attempts with the changes you suggested above don't seem to make any difference in outcome.

And it's not that SubInACL doesn't work, it's that it is not granular enough - the "single letter" options available as flags select too much and from what I can see (and read in multiple posts on Social.Microsoft), the behavior of setting "This folder, subfolders and files" is default for SubInACL and any means of changing this has not yet been discovered.

As a last gasp effort on my part, I cleared _all_ audit settings from the C:\Windows\system folder and re-applied with SubInACL using the last set of flags you recommended.

Still the same result...

We do use 2008R2 as DCs and have Win 7 clients - if you want to test, I'll be open to what you find, but you've spent some time on this already and I don't want to plague you further if you're frustrated with my lack of success.

Thanks again.
0
McKnifeCommented:
Tried it at home (DC= 2012 R2) with a win7 x64 - works as expected, both through GPO and subinacl. No idea what is wrong at your side. Will try with 2008 as DC tomorrow.
0
McKnifeCommented:
Tried it.

Works as expected via GPO. Everything perfect.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.