Windows Server 2008 R2, DFS, Auditing Everything

Good Afternoon,

Background: We are, for reasons beyond my control, giving domain admin access to a user who may cause issues down the road. Not giving access to this user is now off the table and my hands are tied. So, as a result, I need to setup auditing to make sure that when they break something, we are covered and can show where the issue arose from.

Problem: I have successfully enabled AD DS auditing and now I am attempting to set up auditing on the DFS share and the user redirected documents. However, I checked the security log and it looks like every action taken on the DFS share is already being audited. I have looked all the way up the folder path and auditing is not enabled for anyone except this one user. Every time a user accesses their files, it is auditing it. The Security log is set to ~500MB and the log only has about 3 hours in it because it is full of users accessing their docs. Is there a way to stop auditing for everyone accessing their docs or another way to go about this? Thank you!

Environment: All servers running 2008/2008R2, DFS branched out to 5 remote locations, All local machines running Windows 7 and joined to the domain.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Domain admin can disable all the things you are installing. Just stop wasting your time.
You will need some kind of central logging with compression and dedupe, or else all of your storage will be consumed by log files.

I suggest you look at the ELK stack, assuming you have someone comfortable with Linux.  Then just install NXLog on the file servers and/or domain controllers to export your logs to the central database.

Once you get auditing enabled, make sure that it logs the event to disable logging; disabling the logging feature would be pretty much a smoking gun that they know they're doing something they shouldn't.

If you're only interested in logging file-server events, then you might look into Varonis.  It has some really powerful capabilities.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
NMTSupportAuthor Commented:
I apologize for the excessive delay in this. I had stopped checking after a while of not getting posts and then forgot about it.

First: The reason I am worried about the logging is not so much for malicious intent; my main concern is that this user does not know much about servers and centralized management and security but at the same time thinks that they do. (ie, a user could not get to shared folder and this user 'fixed' it by granting everyone full control, etc). Thus far, the user had been granted access, we just have not told them.

Second, I will look into that setup. I am comfortable with Linux but I would not label myself as an expert. My main point was simply to stop logging things I don't want to know about.

Thank you very much!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.