unrealone1
asked on
Configure windows auditing on windows shares
Experts,
I've got a customer that want to keep a log of their files. What user accesses them, if they made any changes, even denied attempts at access. They are a high security business and need to keep things very very secure. What would you recommend?
I know windows has the functionality of keeping audits on this but I don't know how well presented, accurate and consistent they are.
Do you know of any freeware/cheap alternatives?
I've got a customer that want to keep a log of their files. What user accesses them, if they made any changes, even denied attempts at access. They are a high security business and need to keep things very very secure. What would you recommend?
I know windows has the functionality of keeping audits on this but I don't know how well presented, accurate and consistent they are.
Do you know of any freeware/cheap alternatives?
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See if the below helps
https://social.technet.microsoft.com/Forums/windowsserver/en-US/4ab37bcf-60f6-4d2d-82c3-496f9d32b09b/domain-admins-denied-access-to-view-volume-even-when-granted-full-control-ntfs?forum=winserverDS
It was because of UAC on Server 2008. The domain admins did have access granted to them and they were logged in as members of the Domain Admins group, but could not use the privileges because of UAC.
The permissions were set up so domain admins ONLY had rights to the drive via privileges granted to the domain admins group (Full Control permissions to Administrators, System and Domain Admins and nothing else).
When you have UAC turned on, and you access the drive locally, the user does not access Windows Explorer with the token that has their domain admins credentials in it, so you can't even read the ACL and get access denied errors. It looks like only the domain admins group has this problem, because the built-in local administrator account is not stopped by this issue.
After either disabling UAC or adding List rights to the drive to the Everyone or Users group, members of domain admins could access the drive volume locally.
ASKER
Hi btan,
I'm afraid it doesn't really. I am also unsure why it looks like I'm supposed to be assigning more permissions to the folder/folders I'm trying to setup auditing on.
Any clearance would be great appreciated.
I'm afraid it doesn't really. I am also unsure why it looks like I'm supposed to be assigning more permissions to the folder/folders I'm trying to setup auditing on.
Any clearance would be great appreciated.
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Hi,
Thanks, but I still do not understand the way this works. I have to setup an AD group that I drop all the users into that I want their access audited. Then I apply this object (AD group) to the auditting tab?
I still do not understand why permissions are coming into play here. These users will have full access (read, write, delete, etc) to these files and folders
Thanks for the continuous comments. I haven't setup windows auditting before
Thanks, but I still do not understand the way this works. I have to setup an AD group that I drop all the users into that I want their access audited. Then I apply this object (AD group) to the auditting tab?
I still do not understand why permissions are coming into play here. These users will have full access (read, write, delete, etc) to these files and folders
Thanks for the continuous comments. I haven't setup windows auditting before
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Hi guys,
I think I have done it and set it the way it needs to be, however I cannot see any logs under 4656 or 4658 at all. I have also made a custom view to only look for these specific codes and still nothing.
I'm afraid I don't understand the background and the backend of how this works. If you could explain it stupidly layman's, i might be able to get my head around it better.
Thanks
I think I have done it and set it the way it needs to be, however I cannot see any logs under 4656 or 4658 at all. I have also made a custom view to only look for these specific codes and still nothing.
I'm afraid I don't understand the background and the backend of how this works. If you could explain it stupidly layman's, i might be able to get my head around it better.
Thanks
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
As per advice given on tackling the error.
ASKER
I tried that and got an error saying when selecting principle: "Error Applying Security - An error occurred while applying security information to C:\documents and settings - Failed to enumerate objects in the container. Access is denied"
I am doing this on the DC just as a test to make sure it works. Am I heading the right path or have I gone awry
Thanks