Event Log show Folder or File Object Acccess

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Help please. When I look at my Server Security Event Logs, for Object
Access, the logs do not reflect the directory or UNC for files or folders for
which users access, modify, create, delete etc.

On the Domain Security Logs and Domain Controller Security Logs for the
Server 2003 Server I have object access checked to audit the failure and
success of such object accessed, checked.

Take care,
John
 
You should see the folder being accessed. Try looking for Event ID 560.
Below is an example from my computer. Note the object name field is the name
of the file being accessed. --- Steve

Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 1/3/2006
Time: 11:33:46 PM
User: STEVE-XP\Steve
Computer: STEVE-XP
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: D:\Drivers\SonyUSB\sonyhcusb2k.inf <<<<<<<<<<<<<<<<<<<
Handle ID: 120
Operation ID: {0,3472111}
Process ID: 3580
Image File Name: D:\WINDOWS\system32\notepad.exe
Primary User Name: Steve
Primary Domain: STEVE-XP
Primary Logon ID: (0x0,0x1BBD4)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
ReadEA
ReadAttributes

Privileges: -
Restricted Sid Count: 0


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
 
Steve,

I managed to find the answer from Microsoft Knowldge base. Basically right
click on the serve folder, select the Security TAB and on the bottom right
corner select Advanced then select the Auditing TAB and find or select the
user (I selected Authenticated Users). After performing the afore mentioned
users accessing the folders and or files were audited as having accessed the
object.
 
OK. I though you had already enabled auditing on folders you wanted to
track. Be sure to audit the bare amount of permissions necessary to
accomplish what you want to do in order to minimize the amount of object
access events recorded. --- Steve
 
Back
Top