Auditing

[Carl Hilton]

I have a server with user files and the permissions on the folders keep
getting changed. I turned on Auditing for CHANGE PERMISSONS SUCCESS but can
see nothing in the SECURITY log... THis is on a W2K SERVER... Do I need to
reboot the server for the auditing to take effect? What is the EVENT ID I
should be looking for?

Thanks
Carl

 

[Steven L Umbach]

Hi Carl.

Make sure that you enable auditing of object access on your server first. This is
done in the appropriate security policy which could be local or domain/OU for domain
members and Dolman Controller Security Policy for domain controllers. You want to
make sure that the effective settings is configured the way that you want which takes
into account GPO that can override local policy. You should not have to reboot and
using secedit /refreshpolicy machine_policy enforce will speed up application of
security policy. Event ID's 560 and 562 will contain information for object access.
The link below explains in more detail. Be sure to audit only permissions you want to
track for users you want to track [avoid everyone and users] to keep the number of
events in the security log lower which will still be very substantial.--- Steve

http://www.microsoft.com/technet/security/guidance/secmod144.mspx