G
Guest
Greetings,
Our auditors have asked us to audit the WINNT directory, and inside it is
the SYSVOL directory. I added the auditing of "Administrators/Full Control"
auditing. I got a 13567 as it was chugging through changing all the
auditing entries on all the policy files and experienced a temporary
replication storm. Something that was very interesting that I noticed
afterwards was that the auditing on that folder, found its way onto other
domain controllers in which the SYSVOL was on a different drive and thus not
set for auditing. I believe this was done as a result of DFS, if the
auditing settings were set on one, those auditing settings were replicated
via DFS to the files and folders of the SYSVOL on all domain controllers.
I have not actually enabled the policy for object access auditing. I'm
concerned about turning it on. I'm worried that auditing the SYSVOL may
cause File Replication to go crazy, and that AD would stop authenticating
people. I'm not auditing the Everyone group (thankfully) only the
Administrators group. But I was wondering if someone could perhaps provide
some insight on this. Should I enable object access auditing on the local
secpol of one DC? should I remove the auditing of the SYSVOL and brave the
temporary FRS storm so that when auditing policy is turned on it will be a
non-issue, or should I do nothing?
Any insight on this issue would be most appreciated.
Our auditors have asked us to audit the WINNT directory, and inside it is
the SYSVOL directory. I added the auditing of "Administrators/Full Control"
auditing. I got a 13567 as it was chugging through changing all the
auditing entries on all the policy files and experienced a temporary
replication storm. Something that was very interesting that I noticed
afterwards was that the auditing on that folder, found its way onto other
domain controllers in which the SYSVOL was on a different drive and thus not
set for auditing. I believe this was done as a result of DFS, if the
auditing settings were set on one, those auditing settings were replicated
via DFS to the files and folders of the SYSVOL on all domain controllers.
I have not actually enabled the policy for object access auditing. I'm
concerned about turning it on. I'm worried that auditing the SYSVOL may
cause File Replication to go crazy, and that AD would stop authenticating
people. I'm not auditing the Everyone group (thankfully) only the
Administrators group. But I was wondering if someone could perhaps provide
some insight on this. Should I enable object access auditing on the local
secpol of one DC? should I remove the auditing of the SYSVOL and brave the
temporary FRS storm so that when auditing policy is turned on it will be a
non-issue, or should I do nothing?
Any insight on this issue would be most appreciated.