• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 81
  • Last Modified:

Windows Server 2008R2 file server - does not log locally logged in account file deletions?

I set up file auditing per this guide: https://blogs.technet.microsoft.com/mspfe/2013/08/26/auditing-file-access-on-file-servers/

I can see all file edits and deletions made by accounts which are accessing the file server through a network share.
This works for most use cases.
But I noticed that if a locally logged in admin account makes changes to files, those changes are not logged.

The same account, accessing files remotely via a network share, does have the file changes logged by the server.

Is there a step missing on this guide to enable auditing for locally logged in accounts or is this by design?
0
SeeDk
Asked:
SeeDk
  • 2
  • 2
1 Solution
 
McKnifeCommented:
Please be aware that saved credentials (from another account) might be in use. Clear the security event log, modify the files again from remote and have a look at what's logged.
0
 
btanExec ConsultantCommented:
Multiple policies are set to GPO that adopt the below LSDOU approach and last writes win. E.g.
L:Local
S:Site
DO:Domain
OU:OU

In other words, you  can apply policies locally even when you have group policies. But when any of the setting conflicts then the group policy overwrites the local policy.

So wondering if there is any conflict with the locy and default domain GPO.
0
 
SeeDkAuthor Commented:
@McKnife
Not sure I completely understand what you mean. Do you mean that the changes I'm making may be registered from a different account than what I think it should be?
Also, to clarify, logging from remote connections to the servers work fine.
It is changes made by a locally logged in admin account that are not logged.

@btan
I checked the Domain level GPO's applied to this server and none are in conflict.

A thing I noticed is that if I turn on "Audit Detailed File Share" in the secpol.msc, the server does log actions made by local admins but it also logs A LOT of other information, most of which is not needed.
0
 
McKnifeCommented:
Oops, I misunderstood although I had read it... no, my note does not apply, then.
I just took a local account on server 2008 R2, made it local admin and modified files that were being audited for full access by everyone.
I got logged alright. I used secpol.msc - advanced audit policy - object access - audit file system.
0
 
SeeDkAuthor Commented:
Ok, false alarm and simple/silly solution.
I noticed another admin account DID get logged and the only difference between the two was mine made the changes and hasn't logged out since then.
Logged out and back in, changes are being logged.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now