Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Windows Server 2008R2 file server - does not log locally logged in account file deletions?

Posted on 2016-11-17
5
Medium Priority
?
79 Views
Last Modified: 2016-11-18
I set up file auditing per this guide: https://blogs.technet.microsoft.com/mspfe/2013/08/26/auditing-file-access-on-file-servers/

I can see all file edits and deletions made by accounts which are accessing the file server through a network share.
This works for most use cases.
But I noticed that if a locally logged in admin account makes changes to files, those changes are not logged.

The same account, accessing files remotely via a network share, does have the file changes logged by the server.

Is there a step missing on this guide to enable auditing for locally logged in accounts or is this by design?
0
Comment
Question by:SeeDk
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 56

Expert Comment

by:McKnife
ID: 41892517
Please be aware that saved credentials (from another account) might be in use. Clear the security event log, modify the files again from remote and have a look at what's logged.
0
 
LVL 65

Expert Comment

by:btan
ID: 41892536
Multiple policies are set to GPO that adopt the below LSDOU approach and last writes win. E.g.
L:Local
S:Site
DO:Domain
OU:OU

In other words, you  can apply policies locally even when you have group policies. But when any of the setting conflicts then the group policy overwrites the local policy.

So wondering if there is any conflict with the locy and default domain GPO.
0
 

Author Comment

by:SeeDk
ID: 41892815
@McKnife
Not sure I completely understand what you mean. Do you mean that the changes I'm making may be registered from a different account than what I think it should be?
Also, to clarify, logging from remote connections to the servers work fine.
It is changes made by a locally logged in admin account that are not logged.

@btan
I checked the Domain level GPO's applied to this server and none are in conflict.

A thing I noticed is that if I turn on "Audit Detailed File Share" in the secpol.msc, the server does log actions made by local admins but it also logs A LOT of other information, most of which is not needed.
0
 
LVL 56

Accepted Solution

by:
McKnife earned 2000 total points
ID: 41892826
Oops, I misunderstood although I had read it... no, my note does not apply, then.
I just took a local account on server 2008 R2, made it local admin and modified files that were being audited for full access by everyone.
I got logged alright. I used secpol.msc - advanced audit policy - object access - audit file system.
0
 

Author Comment

by:SeeDk
ID: 41892873
Ok, false alarm and simple/silly solution.
I noticed another admin account DID get logged and the only difference between the two was mine made the changes and hasn't logged out since then.
Logged out and back in, changes are being logged.
0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you're a modern-day technology professional, you may be wondering if certifications are really necessary. They are. Here's why.
With the evolution of technology, we have finally reached a point where it is possible to have home automation features like having your thermostat turn up and door lock itself when you leave, as well as a complete home security system. This is a st…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question