Enable Auditing on specific Directories via GPO

I need to enable auditing on specific directories on about 500 servers.

Directories:

%systemroot%\
%systemroot%\repair
%systemroot%\config
%systemroot%\system32
%systemroot%\system32\drivers


I know how to configure each server manually/enable auditing on a specific directory. However, would I perform this via GPO on a massive scale?

many thx

t
tobe1424Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Asif BacchusI.T. ConsultantCommented:
I think your best bet would be to create a Security Template and deploy that via Group Policy to the OU(s) with your servers.

Open MMC and add the Security Template snap-in.  Under Security Templates, you'll see <Username>\Documents\Security\Templates.  This is where it will be stored by default, but don't worry, you can save it anywhere later.  Right-click and select New Template.  Name it, optionally give it a description, and click OK.

Expand your new template > File System.  Right-click and Add FIle.  Type %SystemRoot% in the folder box and click OK.  You'll be presented with the default Security dialog.  Click Advanced > Auditing Tab.  Now add the auditing entries you would like to setup as usual.  Also make sure you check whether or not you'd like this folder to inherit auditing permissions from its parent folder.  After clicking OK twice, you'll get the Add Object dialog box asking whether you'd like to propagate permissions.  Answer accordingly.  Now repeat this for your other folders.

Once you are done, right-click the security template and choose Save As... and save it where you'd like.  You can then delete the template in MMC.

Now, assuming you only want the auditing entries to apply (and NOT NTFS security permissions settings also), you'll want to edit the INF file.  Open the INF in your favourite text editor and delete permissions that start with "D:PAR" and leave only the ones that start with "S:AR"

Now we can deploy this with a GPO:

Create a GPO and go to Computer Configuration > Policies > Windows Settings > Security Settings.  Right-click Security Settings and choose Import Policy.  Verify that the settings are imported properly in Computer Configuration > Policies > Windows Settings > Security Settings > File System.

Now you can deploy that GPO as needed and the auditing entries will be set on the file system as you defined.  If you need to actually turn on auditing in the first place, you can find the necessary settings in Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy (or use the Advanced Audit Policy Configuration).

HTH.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.