Solved

Windows Server 2008R2 file server - does not log locally logged in account file deletions?

Posted on 2016-11-17
5
47 Views
Last Modified: 2016-11-18
I set up file auditing per this guide: https://blogs.technet.microsoft.com/mspfe/2013/08/26/auditing-file-access-on-file-servers/

I can see all file edits and deletions made by accounts which are accessing the file server through a network share.
This works for most use cases.
But I noticed that if a locally logged in admin account makes changes to files, those changes are not logged.

The same account, accessing files remotely via a network share, does have the file changes logged by the server.

Is there a step missing on this guide to enable auditing for locally logged in accounts or is this by design?
0
Comment
Question by:SeeDk
  • 2
  • 2
5 Comments
 
LVL 53

Expert Comment

by:McKnife
ID: 41892517
Please be aware that saved credentials (from another account) might be in use. Clear the security event log, modify the files again from remote and have a look at what's logged.
0
 
LVL 61

Expert Comment

by:btan
ID: 41892536
Multiple policies are set to GPO that adopt the below LSDOU approach and last writes win. E.g.
L:Local
S:Site
DO:Domain
OU:OU

In other words, you  can apply policies locally even when you have group policies. But when any of the setting conflicts then the group policy overwrites the local policy.

So wondering if there is any conflict with the locy and default domain GPO.
0
 

Author Comment

by:SeeDk
ID: 41892815
@McKnife
Not sure I completely understand what you mean. Do you mean that the changes I'm making may be registered from a different account than what I think it should be?
Also, to clarify, logging from remote connections to the servers work fine.
It is changes made by a locally logged in admin account that are not logged.

@btan
I checked the Domain level GPO's applied to this server and none are in conflict.

A thing I noticed is that if I turn on "Audit Detailed File Share" in the secpol.msc, the server does log actions made by local admins but it also logs A LOT of other information, most of which is not needed.
0
 
LVL 53

Accepted Solution

by:
McKnife earned 500 total points
ID: 41892826
Oops, I misunderstood although I had read it... no, my note does not apply, then.
I just took a local account on server 2008 R2, made it local admin and modified files that were being audited for full access by everyone.
I got logged alright. I used secpol.msc - advanced audit policy - object access - audit file system.
0
 

Author Comment

by:SeeDk
ID: 41892873
Ok, false alarm and simple/silly solution.
I noticed another admin account DID get logged and the only difference between the two was mine made the changes and hasn't logged out since then.
Logged out and back in, changes are being logged.
0

Featured Post

Do email signature updates give you a headache?

Constantly trying to correctly format email signatures? Spending all of your time at every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today!

Join & Write a Comment

OfficeMate Freezes on login or does not load after login credentials are input.
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now