How do I log changes to folder and files on the server in Windows 2008?

I have configured my server to audit object access (domain users - successful - create files/folders, delete sub-folders, delete) and configured my default domain controllers policy to audit object and directory service access (success) yet there are no entries on the security event for object access when any of these events occur.
LVL 4
fuzzyfreakAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
I have just answered this exact question by someone else yesterday. See the PAQ at the link below for your answer.
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2012/Q_28668241.html

Will.
0
fuzzyfreakAuthor Commented:
Thanks Will, what is it in your answer that I have not already done? I am afraid I do not see.
0
Will SzymkowskiSenior Solution ArchitectCommented:
what is it in your answer that I have not already done? I am afraid I do not see.
Only you can answer that. Personally this is not difficult to setup, so what i think might have happened is there might have been a missed step. Did you follow the complete tutorial to ensure that no steps were missed?

Will.
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

fuzzyfreakAuthor Commented:
Unfortunately this article is not specific enough for my needs - it does not tell me which policy to modify.
As stated, I had already configured this for my domain controllers policy, this article suggests doing it on the default domain policy, so I have configured "Audit Object Access = Success" on this.
In your referred article it gives a 5 step process. But not all the steps appear in the article, plus it seems incomplete, for instance. It states
Enabling Object Auditing
If audit access to objects is chosen as part of the audit policy, either the audit directory service access category (for auditing objects on a domain controller), or the audit object access category (for auditing objects on a member server) must be also turned on. WHERE/HOW? Once the correct object access category has been turned on, each individual object's Properties can be used to specify whether to audit successes or failures for the specific access request to each group or user.

Step 3.
Configure the Event Log
- does not exists.

Remember, I have already -

1. Enabled the correct policy
2. Enabled auditing on the shared folder to audit successful (see attached)
Audit.docx
0
Will SzymkowskiSenior Solution ArchitectCommented:
Does this setting work on any other servers on your network? when you are looking in the Security Logs are you filtering on the correct events?

The link below outlines different types of events to filter on.
http://blogs.technet.com/b/mspfe/archive/2013/08/27/auditing-file-access-on-file-servers.aspx

Also have you seen the below article.
http://blogs.technet.com/b/mspfe/archive/2013/08/27/auditing-file-access-on-file-servers.aspx

Will.
0
fuzzyfreakAuthor Commented:
Thanks Will, it would help me if you make reference to specific parts of these long articles, what is it you are referring to?  I know which events I am looking for, they just are not there. I would really prefer some help on troubleshooting the issue, which is that audit logging is not working having followed the correct procedure.
0
Will SzymkowskiSenior Solution ArchitectCommented:
Sorry, normally i would illustrate this from my lab using screenshots but right now i do not have the time unfortunately. I honestly think you are missing some step which is why it is not working.

If you haven't resolved this later i will post screenshots of the process.

Will.
0
fuzzyfreakAuthor Commented:
Still need resolution to this. Many thanks.
0
Will SzymkowskiSenior Solution ArchitectCommented:
Sorry sitll been extreamly busy, should be able to get to this today.

Will.
0
Will SzymkowskiSenior Solution ArchitectCommented:
I just tested this and it works. I had to change a few things around but overall it is working...
Below are all of the settings that I configured...

I used this link below as a reference, but as i said i tewaked it slightly.

Object1.JPGObject2.JPGObject3.JPGObject4.JPGObject5.JPGObject6.JPGObject7.JPG
Sorry for the delay on this.

Will.
0
fuzzyfreakAuthor Commented:
Hi Will, thanks very much for the screen shots.  I am just working through them but screen shot two shows a Local Computer Policy - how do I get to that?
Thanks
0
Will SzymkowskiSenior Solution ArchitectCommented:
Edit the Default Domain Policy, Computer Config>Windows Settings>Security Settings> Local Policies

Then modify Object Access Success/Fail and also if you want Active Directory Service Access.

Will.
0
fuzzyfreakAuthor Commented:
Still looks like I have everything right but not working.  I need to spend some time working through it again.
0
Will SzymkowskiSenior Solution ArchitectCommented:
Yeah not sure what is different in your environment but this is pretty straightforward. Are the policies getting applied to the file server you wish to audit?

Will.
0
fuzzyfreakAuthor Commented:
The policy and the file server are one and the same.
0
fuzzyfreakAuthor Commented:
Hmmm, I just ran RSOP.msc and it says that the policies are coming from the Default Domain Controllers policy, but it then has a Red X next to them stating "the policy engine did not attempt to configure the setting..."

It then refers to my winlogon.log - so I am trying to untangle that for the answer.
0
fuzzyfreakAuthor Commented:
Hold your horses, I do believe I have sussed it with the use of this article -
http://windowsexplored.com/2014/01/31/why-arent-my-windows-audit-policies-working/
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
fuzzyfreakAuthor Commented:
So it turned out that my server was configured with "audit policy subcategory settings" and so I needed to configure these.  I am now seeing the 4663 events in the security log. Thank you very much for your help, Will.
0
fuzzyfreakAuthor Commented:
Got there in the end, thanks.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.