Solved

Windows Server 2008R2 file server - does not log locally logged in account file deletions?

Posted on 2016-11-17
5
70 Views
Last Modified: 2016-11-18
I set up file auditing per this guide: https://blogs.technet.microsoft.com/mspfe/2013/08/26/auditing-file-access-on-file-servers/

I can see all file edits and deletions made by accounts which are accessing the file server through a network share.
This works for most use cases.
But I noticed that if a locally logged in admin account makes changes to files, those changes are not logged.

The same account, accessing files remotely via a network share, does have the file changes logged by the server.

Is there a step missing on this guide to enable auditing for locally logged in accounts or is this by design?
0
Comment
Question by:SeeDk
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 54

Expert Comment

by:McKnife
ID: 41892517
Please be aware that saved credentials (from another account) might be in use. Clear the security event log, modify the files again from remote and have a look at what's logged.
0
 
LVL 63

Expert Comment

by:btan
ID: 41892536
Multiple policies are set to GPO that adopt the below LSDOU approach and last writes win. E.g.
L:Local
S:Site
DO:Domain
OU:OU

In other words, you  can apply policies locally even when you have group policies. But when any of the setting conflicts then the group policy overwrites the local policy.

So wondering if there is any conflict with the locy and default domain GPO.
0
 

Author Comment

by:SeeDk
ID: 41892815
@McKnife
Not sure I completely understand what you mean. Do you mean that the changes I'm making may be registered from a different account than what I think it should be?
Also, to clarify, logging from remote connections to the servers work fine.
It is changes made by a locally logged in admin account that are not logged.

@btan
I checked the Domain level GPO's applied to this server and none are in conflict.

A thing I noticed is that if I turn on "Audit Detailed File Share" in the secpol.msc, the server does log actions made by local admins but it also logs A LOT of other information, most of which is not needed.
0
 
LVL 54

Accepted Solution

by:
McKnife earned 500 total points
ID: 41892826
Oops, I misunderstood although I had read it... no, my note does not apply, then.
I just took a local account on server 2008 R2, made it local admin and modified files that were being audited for full access by everyone.
I got logged alright. I used secpol.msc - advanced audit policy - object access - audit file system.
0
 

Author Comment

by:SeeDk
ID: 41892873
Ok, false alarm and simple/silly solution.
I noticed another admin account DID get logged and the only difference between the two was mine made the changes and hasn't logged out since then.
Logged out and back in, changes are being logged.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Smart phones, smart watches, Bluetooth-connected devices—the IoT is all around us. In this article, we take a look at the security implications of our highly connected world.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question