Sign in with
Sign up | Sign in
Your question

Auditing Folders and Files - Audit Policy - Audit Object A..

Last response: in Windows 2000/NT
Share
December 30, 2004 9:01:01 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I am trying to track/audit the access of some folders and files at our file
server. Wanted to know who deleted some stuffs.

Have followed the steps advised in the below link, but I still couldn't get
it to work:
http://support.microsoft.com/Default.aspx?kbid=300549

Here is what I did:

1) At the file server, Local Security Settings, Local Policies, Audit
Policies, I enabled Audit Object Access to track Success\Failure.

2) Then, I went to that particular subfolder, Properties, Security,
Advanced, Audit and entered the usernames, groups and access that I'd like
have audited.

3) I did some test by creating and deleting files in the subfolder. After
that, I checked at the file server's Security Log but nothing happens. It
only tracks the default Logon/Logoff Success Audits.

I have admin rights and have tested few times. Could someone help?
Anonymous
a b 8 Security
December 31, 2004 5:52:45 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Make sure on that server that auditing of object access is indeed enabled.
Open Local Security Policy and look at the "effective" settings if the
server is Windows 2000. If the local and effective settings are different
then you have a domain or Organizational Unit Group Policy overriding local
policy and you will have to enable auditing of object access at that level
or put the server in it's own OU with it's own GPO to configure the policy.
The support tool gpresult can help determine which "computer" policies are
applying to a domain computer. If the file server is a domain controller,
you will have to configure in Domain Controller Security Policy. --- Steve


"Joanne" <Joanne@discussions.microsoft.com> wrote in message
news:74B79AAB-BDBE-4B25-91EA-014D7427F4C5@microsoft.com...
>I am trying to track/audit the access of some folders and files at our file
> server. Wanted to know who deleted some stuffs.
>
> Have followed the steps advised in the below link, but I still couldn't
> get
> it to work:
> http://support.microsoft.com/Default.aspx?kbid=300549
>
> Here is what I did:
>
> 1) At the file server, Local Security Settings, Local Policies, Audit
> Policies, I enabled Audit Object Access to track Success\Failure.
>
> 2) Then, I went to that particular subfolder, Properties, Security,
> Advanced, Audit and entered the usernames, groups and access that I'd like
> have audited.
>
> 3) I did some test by creating and deleting files in the subfolder. After
> that, I checked at the file server's Security Log but nothing happens. It
> only tracks the default Logon/Logoff Success Audits.
>
> I have admin rights and have tested few times. Could someone help?
>
December 31, 2004 5:52:46 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

It works! Thanks a lot expert!

"Steven L Umbach" wrote:

> Make sure on that server that auditing of object access is indeed enabled.
> Open Local Security Policy and look at the "effective" settings if the
> server is Windows 2000. If the local and effective settings are different
> then you have a domain or Organizational Unit Group Policy overriding local
> policy and you will have to enable auditing of object access at that level
> or put the server in it's own OU with it's own GPO to configure the policy.
> The support tool gpresult can help determine which "computer" policies are
> applying to a domain computer. If the file server is a domain controller,
> you will have to configure in Domain Controller Security Policy. --- Steve
>
>
> "Joanne" <Joanne@discussions.microsoft.com> wrote in message
> news:74B79AAB-BDBE-4B25-91EA-014D7427F4C5@microsoft.com...
> >I am trying to track/audit the access of some folders and files at our file
> > server. Wanted to know who deleted some stuffs.
> >
> > Have followed the steps advised in the below link, but I still couldn't
> > get
> > it to work:
> > http://support.microsoft.com/Default.aspx?kbid=300549
> >
> > Here is what I did:
> >
> > 1) At the file server, Local Security Settings, Local Policies, Audit
> > Policies, I enabled Audit Object Access to track Success\Failure.
> >
> > 2) Then, I went to that particular subfolder, Properties, Security,
> > Advanced, Audit and entered the usernames, groups and access that I'd like
> > have audited.
> >
> > 3) I did some test by creating and deleting files in the subfolder. After
> > that, I checked at the file server's Security Log but nothing happens. It
> > only tracks the default Logon/Logoff Success Audits.
> >
> > I have admin rights and have tested few times. Could someone help?
> >
>
>
>
Anonymous
a b 8 Security
December 31, 2004 9:03:59 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Cool. Shucks I am no expert, I just read a lot. Now the fun begins for you
to search through all those event ID's 560 and 562. --- Steve


"Joanne" <Joanne@discussions.microsoft.com> wrote in message
news:7B911EA4-D31B-4F8B-8BF5-DBEC283C01D9@microsoft.com...
> It works! Thanks a lot expert!
>
> "Steven L Umbach" wrote:
>
>> Make sure on that server that auditing of object access is indeed
>> enabled.
>> Open Local Security Policy and look at the "effective" settings if the
>> server is Windows 2000. If the local and effective settings are different
>> then you have a domain or Organizational Unit Group Policy overriding
>> local
>> policy and you will have to enable auditing of object access at that
>> level
>> or put the server in it's own OU with it's own GPO to configure the
>> policy.
>> The support tool gpresult can help determine which "computer" policies
>> are
>> applying to a domain computer. If the file server is a domain controller,
>> you will have to configure in Domain Controller Security Policy. ---
>> Steve
>>
>>
>> "Joanne" <Joanne@discussions.microsoft.com> wrote in message
>> news:74B79AAB-BDBE-4B25-91EA-014D7427F4C5@microsoft.com...
>> >I am trying to track/audit the access of some folders and files at our
>> >file
>> > server. Wanted to know who deleted some stuffs.
>> >
>> > Have followed the steps advised in the below link, but I still couldn't
>> > get
>> > it to work:
>> > http://support.microsoft.com/Default.aspx?kbid=300549
>> >
>> > Here is what I did:
>> >
>> > 1) At the file server, Local Security Settings, Local Policies, Audit
>> > Policies, I enabled Audit Object Access to track Success\Failure.
>> >
>> > 2) Then, I went to that particular subfolder, Properties, Security,
>> > Advanced, Audit and entered the usernames, groups and access that I'd
>> > like
>> > have audited.
>> >
>> > 3) I did some test by creating and deleting files in the subfolder.
>> > After
>> > that, I checked at the file server's Security Log but nothing happens.
>> > It
>> > only tracks the default Logon/Logoff Success Audits.
>> >
>> > I have admin rights and have tested few times. Could someone help?
>> >
>>
>>
>>
!