Auditing Folders and Files - Audit Policy - Audit Object Access

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I am trying to track/audit the access of some folders and files at our file
server. Wanted to know who deleted some stuffs.

Have followed the steps advised in the below link, but I still couldn't get
it to work:
http://support.microsoft.com/Default.aspx?kbid=300549

Here is what I did:

1) At the file server, Local Security Settings, Local Policies, Audit
Policies, I enabled Audit Object Access to track Success\Failure.

2) Then, I went to that particular subfolder, Properties, Security,
Advanced, Audit and entered the usernames, groups and access that I'd like
have audited.

3) I did some test by creating and deleting files in the subfolder. After
that, I checked at the file server's Security Log but nothing happens. It
only tracks the default Logon/Logoff Success Audits.

I have admin rights and have tested few times. Could someone help?
 
Make sure on that server that auditing of object access is indeed enabled.
Open Local Security Policy and look at the "effective" settings if the
server is Windows 2000. If the local and effective settings are different
then you have a domain or Organizational Unit Group Policy overriding local
policy and you will have to enable auditing of object access at that level
or put the server in it's own OU with it's own GPO to configure the policy.
The support tool gpresult can help determine which "computer" policies are
applying to a domain computer. If the file server is a domain controller,
you will have to configure in Domain Controller Security Policy. --- Steve
 
It works! Thanks a lot expert!

Steven L Umbach said:
Make sure on that server that auditing of object access is indeed enabled.
Open Local Security Policy and look at the "effective" settings if the
server is Windows 2000. If the local and effective settings are different
then you have a domain or Organizational Unit Group Policy overriding local
policy and you will have to enable auditing of object access at that level
or put the server in it's own OU with it's own GPO to configure the policy.
The support tool gpresult can help determine which "computer" policies are
applying to a domain computer. If the file server is a domain controller,
you will have to configure in Domain Controller Security Policy. --- Steve
Click to expand...
 
Cool. Shucks I am no expert, I just read a lot. Now the fun begins for you
to search through all those event ID's 560 and 562. --- Steve
 
Download a freeware tool called netwrix file server change reporter. It will audit and report on all changes and access to file servers and permissions. The enterprise version will tell you who made each change, when.
 
Back
Top