Solved

Enable Auditing on specific Directories via GPO

Posted on 2014-11-21
1
330 Views
Last Modified: 2014-11-21
I need to enable auditing on specific directories on about 500 servers.

Directories:

%systemroot%\
%systemroot%\repair
%systemroot%\config
%systemroot%\system32
%systemroot%\system32\drivers


I know how to configure each server manually/enable auditing on a specific directory. However, would I perform this via GPO on a massive scale?

many thx

t
0
Comment
Question by:tobe1424
1 Comment
 
LVL 6

Accepted Solution

by:
Asif Bacchus earned 500 total points
ID: 40458158
I think your best bet would be to create a Security Template and deploy that via Group Policy to the OU(s) with your servers.

Open MMC and add the Security Template snap-in.  Under Security Templates, you'll see <Username>\Documents\Security\Templates.  This is where it will be stored by default, but don't worry, you can save it anywhere later.  Right-click and select New Template.  Name it, optionally give it a description, and click OK.

Expand your new template > File System.  Right-click and Add FIle.  Type %SystemRoot% in the folder box and click OK.  You'll be presented with the default Security dialog.  Click Advanced > Auditing Tab.  Now add the auditing entries you would like to setup as usual.  Also make sure you check whether or not you'd like this folder to inherit auditing permissions from its parent folder.  After clicking OK twice, you'll get the Add Object dialog box asking whether you'd like to propagate permissions.  Answer accordingly.  Now repeat this for your other folders.

Once you are done, right-click the security template and choose Save As... and save it where you'd like.  You can then delete the template in MMC.

Now, assuming you only want the auditing entries to apply (and NOT NTFS security permissions settings also), you'll want to edit the INF file.  Open the INF in your favourite text editor and delete permissions that start with "D:PAR" and leave only the ones that start with "S:AR"

Now we can deploy this with a GPO:

Create a GPO and go to Computer Configuration > Policies > Windows Settings > Security Settings.  Right-click Security Settings and choose Import Policy.  Verify that the settings are imported properly in Computer Configuration > Policies > Windows Settings > Security Settings > File System.

Now you can deploy that GPO as needed and the auditing entries will be set on the file system as you defined.  If you need to actually turn on auditing in the first place, you can find the necessary settings in Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy (or use the Advanced Audit Policy Configuration).

HTH.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

The reason that corporations and businesses use Windows servers is because it supports custom modifications to adapt to the business and what it needs. Most individual users won’t need such powerful options. Here I’ll explain how you can enable Wind…
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now