Solved

Windows Server 2008R2 file server - does not log locally logged in account file deletions?

Posted on 2016-11-17
5
64 Views
Last Modified: 2016-11-18
I set up file auditing per this guide: https://blogs.technet.microsoft.com/mspfe/2013/08/26/auditing-file-access-on-file-servers/

I can see all file edits and deletions made by accounts which are accessing the file server through a network share.
This works for most use cases.
But I noticed that if a locally logged in admin account makes changes to files, those changes are not logged.

The same account, accessing files remotely via a network share, does have the file changes logged by the server.

Is there a step missing on this guide to enable auditing for locally logged in accounts or is this by design?
0
Comment
Question by:SeeDk
  • 2
  • 2
5 Comments
 
LVL 53

Expert Comment

by:McKnife
ID: 41892517
Please be aware that saved credentials (from another account) might be in use. Clear the security event log, modify the files again from remote and have a look at what's logged.
0
 
LVL 62

Expert Comment

by:btan
ID: 41892536
Multiple policies are set to GPO that adopt the below LSDOU approach and last writes win. E.g.
L:Local
S:Site
DO:Domain
OU:OU

In other words, you  can apply policies locally even when you have group policies. But when any of the setting conflicts then the group policy overwrites the local policy.

So wondering if there is any conflict with the locy and default domain GPO.
0
 

Author Comment

by:SeeDk
ID: 41892815
@McKnife
Not sure I completely understand what you mean. Do you mean that the changes I'm making may be registered from a different account than what I think it should be?
Also, to clarify, logging from remote connections to the servers work fine.
It is changes made by a locally logged in admin account that are not logged.

@btan
I checked the Domain level GPO's applied to this server and none are in conflict.

A thing I noticed is that if I turn on "Audit Detailed File Share" in the secpol.msc, the server does log actions made by local admins but it also logs A LOT of other information, most of which is not needed.
0
 
LVL 53

Accepted Solution

by:
McKnife earned 500 total points
ID: 41892826
Oops, I misunderstood although I had read it... no, my note does not apply, then.
I just took a local account on server 2008 R2, made it local admin and modified files that were being audited for full access by everyone.
I got logged alright. I used secpol.msc - advanced audit policy - object access - audit file system.
0
 

Author Comment

by:SeeDk
ID: 41892873
Ok, false alarm and simple/silly solution.
I noticed another admin account DID get logged and the only difference between the two was mine made the changes and hasn't logged out since then.
Logged out and back in, changes are being logged.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now