Solved

Enable Auditing on specific Directories via GPO

Posted on 2014-11-21
1
347 Views
Last Modified: 2014-11-21
I need to enable auditing on specific directories on about 500 servers.

Directories:

%systemroot%\
%systemroot%\repair
%systemroot%\config
%systemroot%\system32
%systemroot%\system32\drivers


I know how to configure each server manually/enable auditing on a specific directory. However, would I perform this via GPO on a massive scale?

many thx

t
0
Comment
Question by:tobe1424
1 Comment
 
LVL 6

Accepted Solution

by:
Asif Bacchus earned 500 total points
ID: 40458158
I think your best bet would be to create a Security Template and deploy that via Group Policy to the OU(s) with your servers.

Open MMC and add the Security Template snap-in.  Under Security Templates, you'll see <Username>\Documents\Security\Templates.  This is where it will be stored by default, but don't worry, you can save it anywhere later.  Right-click and select New Template.  Name it, optionally give it a description, and click OK.

Expand your new template > File System.  Right-click and Add FIle.  Type %SystemRoot% in the folder box and click OK.  You'll be presented with the default Security dialog.  Click Advanced > Auditing Tab.  Now add the auditing entries you would like to setup as usual.  Also make sure you check whether or not you'd like this folder to inherit auditing permissions from its parent folder.  After clicking OK twice, you'll get the Add Object dialog box asking whether you'd like to propagate permissions.  Answer accordingly.  Now repeat this for your other folders.

Once you are done, right-click the security template and choose Save As... and save it where you'd like.  You can then delete the template in MMC.

Now, assuming you only want the auditing entries to apply (and NOT NTFS security permissions settings also), you'll want to edit the INF file.  Open the INF in your favourite text editor and delete permissions that start with "D:PAR" and leave only the ones that start with "S:AR"

Now we can deploy this with a GPO:

Create a GPO and go to Computer Configuration > Policies > Windows Settings > Security Settings.  Right-click Security Settings and choose Import Policy.  Verify that the settings are imported properly in Computer Configuration > Policies > Windows Settings > Security Settings > File System.

Now you can deploy that GPO as needed and the auditing entries will be set on the file system as you defined.  If you need to actually turn on auditing in the first place, you can find the necessary settings in Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy (or use the Advanced Audit Policy Configuration).

HTH.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The article will show you how you can maintain a simple logfile of all Startup and Shutdown events on Windows servers and desktops with PowerShell. The script can be easily adapted into doing more like gracefully silencing/updating your monitoring s…
Learn about cloud computing and its benefits for small business owners.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question