Link to home
Create AccountLog in
Avatar of unrealone1
unrealone1Flag for United Kingdom of Great Britain and Northern Ireland

asked on

Configure windows auditing on windows shares

Experts,

I've got a customer that want to keep a log of their files. What user accesses them, if they made any changes, even denied attempts at access. They are a high security business and need to keep things very very secure. What would you recommend?

I know windows has the functionality of keeping audits on this but I don't know how well presented, accurate and consistent they are.

Do you know of any freeware/cheap alternatives?
SOLUTION
Avatar of Benjamin Voglar
Benjamin Voglar
Flag of Slovenia image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Avatar of unrealone1

ASKER

Hi Guys,

I tried that and got an error saying when selecting principle: "Error Applying Security - An error occurred while applying security information to C:\documents and settings - Failed to enumerate objects in the container. Access is denied"

I am doing this on the DC just as a test to make sure it works. Am I heading the right path or have I gone awry

Thanks
Avatar of btan
btan

See if the below helps

 It was because of UAC on Server 2008.  The domain admins did have access granted to them and they were logged in as members of the Domain Admins group, but could not use the privileges because of UAC.  

The permissions were set up so domain admins ONLY had rights to the drive via privileges granted to the domain admins group (Full Control permissions to Administrators, System and Domain Admins and nothing else).  

When you have UAC turned on, and you access the drive locally, the user does not access Windows Explorer with the token that has their domain admins credentials in it, so you can't even read the ACL and get access denied errors.  It looks like only the domain admins group has this problem, because the built-in local administrator account is not stopped by this issue.
After either disabling UAC or adding List rights to the drive to the Everyone or Users group, members of domain admins could access the drive volume locally.
https://social.technet.microsoft.com/Forums/windowsserver/en-US/4ab37bcf-60f6-4d2d-82c3-496f9d32b09b/domain-admins-denied-access-to-view-volume-even-when-granted-full-control-ntfs?forum=winserverDS
Hi btan,

I'm afraid it doesn't really. I am also unsure why it looks like I'm supposed to be assigning more permissions to the folder/folders I'm trying to setup auditing on.

Any clearance would be great appreciated.
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Hi,

Thanks, but I still do not understand the way this works. I have to setup an AD group that I drop all the users into that I want their access audited. Then I apply this object (AD group) to the auditting tab?

I still do not understand why permissions are coming into play here. These users will have full access (read, write, delete, etc) to these files and folders

Thanks for the continuous comments. I haven't setup windows auditting before
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Hi guys,

I think I have done it and set it the way it needs to be, however I cannot see any logs under 4656 or 4658 at all. I have also made a custom view to only look for these specific codes and still nothing.

I'm afraid I don't understand the background and the backend of how this works. If you could explain it stupidly layman's, i might be able to get my head around it better.

Thanks
ASKER CERTIFIED SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
As per advice given on tackling the error.