Need Help Configuring File Access Auditing in Server 2012

I have a site that needs to know who and when info about file deletes and moves. Moves will probably end up being a file create event following a delete, I'm guessing. Back to that later. I have done some reading from which I have gathered that this may be a two step process: 1) I have to configure Advance Audit Policy Configuration in group policy. 2) Next, I have to configure Auditing in the Properties, Security, Advanced, Auditing tab of the folder I want to monitor. I need detailed assistance with setting this up as I have zero prior experience with it. Any takers? :)
LVL 1
tcianfloneAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Benjamin VoglarIT ProCommented:
I found a nice video for you:

https://www.youtube.com/watch?v=LOsRDI1O3Dc
tcianfloneAuthor Commented:
Video is marginally helpful. I have enabled object access auditing in a new group policy I have named File Access Auditing and have linked it to the domain controller container. I enabled it here, as shown in the video: Computer Configuration, Policies, Windows Settings, Security Settings, Local Policies, Audit Policy.

I need to set up auditing on the target folder so that ONLY file deletes and file creates are logged to limit the events I see in the Security event log. The video does not address that part of my configuration, as far as I can see. The resolution of the video is bad enough that you can barely tell what is being done and there is no audio explaining anything. So, I need additional help. Thanks.
tcianfloneAuthor Commented:
On further reading at TechNet, it appears that a better way to do this is enabling auditing here: Computer Configuration, Policies, Windows Settings, Security Settings, Advanced Audit Policy Configuration, Audit Policies. In particular, the Audit File Share looks useful. I'm still not clear how to do this.
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

MaheshArchitectCommented:
You don't need to enable this setting in policy linked to domain controllers container (OU)

You need to create one new OU, underneath u need to move those file server computer accounts and here you apply new GPO where you can enable auditing settings under Computer Configuration, Policies, Windows Settings, Security Settings, Local Policies, Audit Policy. (Audit object access setting)
This will generate logs on that file server under security events
Only you need to extend security events log size through local gpedit.msc on file server OR you can increase it from same GPO above so that log will retains for more days, check screen shot for more details

Other thing you have done is correct which enable auditing on folder level for success and failure in advanced NTFS folder properties\auditing tab
C--Users-Mahesh-Pictures-eventlog.jpg

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
tcianfloneAuthor Commented:
Please review the attached graphics. Did I miss anything? A couple of notes: I linked the File Access Auditing gpo to the Domain Controllers container because there is only the one DC at this site. In the NTFS Auditing dialog, I am only looking for those particular events, creates and deletes. Is there a reference to the event IDs I should be looking for on deletes and such? I looked around but can't seem to find a comprehensive list. This is server 2012 R2. Thanks.
fileaccess-gpo.png
fileaccess-gposetting.png
fileaccess-logretention.png
fileaccess-auditdialog.png
tcianfloneAuthor Commented:
I just tested by having a user create a new text file, then delete it. I don't see any events at all in the security log.
MaheshArchitectCommented:
The screen shots are OK except one

Not sure why policy is applied to domain controllers OU?

Are you using DC as file server?
If not, then attach file access Auditing GPO to OU where your file server computer account resides. Also enable auditing for failures as well.

If DC is acting as file server, check security event logs on DC server, run Gpupdate /force on DC and also increase security event logs on DC up to 100 MB minimum and then check
tcianfloneAuthor Commented:
Mahesh, thanks for your input so far. Yes, this is a Server 2012R2 installation, only the one server, so it's doing everything including DC and file server. I have enabled auditing for failures and have increased the security event log max size to 250MB. Ran gpupdate /force. I will watch for activity once the office becomes active today.
tcianfloneAuthor Commented:
Just checked in on this site. At this point, there are NO NEW security events being logged, not even logon/logoff events! I created and deleted a file in the folder I am auditing from a domain user account and no events were created for that either. Somehow I managed to turn security auditing off altogether.
MaheshArchitectCommented:
If no events are logged in event log (logon / logoff even) it means no policy is applying to Domain controllers

run rsop.msc on domain controller and verify if any policy is applied on DC (at least default DC policy should apply
tcianfloneAuthor Commented:
RSOP.MSC revealed that object access auditing was explicitly turned off in the default domain controller policy. So, I deleted my File Access Policy and made the edit in the default domain controller policy, ran gpupdate /force, and the security events started populating again. Next I'll test whether the file delete/add events show up.
tcianfloneAuthor Commented:
This appears to be working now. The events of interest seem to be: 4663 for add/create file; 4656 for delete file. Thanks for you assistance, Mahesh. I'm going to keep this question open for a day or so just in case I have any additional questions.
MaheshArchitectCommented:
Its actually not explicitly turned off in default DC policy

You can either enable it or it is disabled only

You got problem because file share auditing policy is getting applied 1st and Default DC policy is getting applied last.
Since it is winning policy and u haven't configured auditing in that policy, your resulting policy is getting null.

when you click on domain controllers OU, right hand side you can see, the policy lower in the list will apply 1st and policy upper in the list apply last (winning policy)

So move your auditing policy up in the list and you should be fine
OR
you can directly configure auditing in default domain controller policy and do not change order
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.