How to enable Security Events in Windows 2012 r2 File Server for sensitive directory user audit ?


I've just configured Windwos Server 2012 R2 file server and wondering if anyone here can assist in what security events and how to enable it to monitor/audit which employee access/copy/update/delete which file ?

LVL 11
Senior IT System EngineerIT ProfessionalAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

yo_beeDirector of Information TechnologyCommented:
you need to open GPEDIT.MSC on the local File Server and edit the settings under:
Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit policy >Enable Audit Object Access for Success and Failures.

This will record Events in the Event Log under Security.
Here is a blog that will help explain it in more details

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
since you are using Win2012, you can leverage the granular auditing i.e. author audit policies further by using claims and resource properties. See the
Change tracking for central access policies and central access rules. Central access policies and central access rules define the central policy that can be used to control access to critical resources.

Change tracking for definitions in the claim dictionary. Claim definitions include the claim name, description, and possible values. Any change to the claim definition can impact the access permissions on critical resources.

Overall, as summary, key areas to cover
- Server must be configured for Audit Object Access, either Success, Failure, or both.
- Configure above for the server either the local group policy or a GPO from AD, for local group policy access, run the gpedit.msc, and for AD GPOs use the GPMC
- Server needs to be notified on what it can audit, so configure the data for it to track when it is accessed.  
- Be specific on the Object (files in most cases) DACL and list the user, group, and/or computer that you want to track, as well as the level of access. Similar to the ACL, need to know what access is attempted, not control the access allowed.

There are more use cases that is helpful
Senior IT System EngineerIT ProfessionalAuthor Commented:
Ah I see,

so in terms of the Event logs, do I need to enlarge the capacity or it can be forwarded to some other place to make sure that the logs is kept at least 1 month ?
Anand PandyaCommented:
You can go through the below article and increase the log size of event logs so that you keep event logs for more time.
Moreover you can also create another log file once it is filled or can also overwrite the log file once it is filled.
You can go through the below article as it is easy to under and will fulfill your needs I hope :)
Muhammad BurhanManager I.T.Commented:
apply GPO (see image) on the file server and then you will get all of the shared file/folder access audits and you can review them in file server's event viewer.
off course the file server generates events continuously so you have to manage logs on daily basis.
you can easily archive them and move them to another location using powershell script.
schedule it  for automation.

$logFileName = "Security"
$path = "\\\Logs" # Add Path, needs to end with a backsplash

# do not edit
$exportFileName = $logFileName + (get-date -f yyyyMMdd) + ".evt"
$logFile = Get-WmiObject Win32_NTEventlogFile | Where-Object {$_.logfilename -eq $logFileName}
$logFile.backupeventlog($path + $exportFileName)

# it will Deletes all .evt logfiles in $path which are $Daysback days old and then clear Security logs too

$Daysback = "-30"
$CurrentDate = Get-Date
$DatetoDelete = $CurrentDate.AddDays($Daysback)
Get-ChildItem $Path | Where-Object { ($_.LastWriteTime -lt $DatetoDelete) -and ($_.Extension -eq ".evt") } | Remove-Item
Clear-Eventlog -LogName $logFileName
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.