Archived from groups: microsoft.public.win2000.security (
More info?)
You would have to first enable auditing of object access on computer
WINXPPRO24 and then audit that parent folder and/or the file test.txt for
whatever permissions you wanted to audit for the user Mary Jane [assuming
you want to audit just that users]. Then you would have to look in the
security log on WINXPPRO24 for Event ID's 560 and 562 to see if she has
accessed that file. Object access and the actual folder/file auditing needs
to be enabled on the computer where the folder/file resides. --- Steve
"GX" <GX@DOMAIN.com> wrote in message
news:Hid9d.70225$uN5.7435@tornado.tampabay.rr.com...
> Steve,
>
> Let me stay on the same subject here...
> Question: If you enable Object Access on Domain Controller (DC1SVR) to be
> audited, how can you tell that the file (test.txt) under the machine
> WINXPPRO24 > C:\Documents and Settins\John.Doe\My Documents\My Test Files
> was accessed by the user Mary Jane?
>
> Do you have to enable the Auditing on that specifi folder on the remote
> machine or can you do it from the DC?
>
> Thanks
> GX
>
> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> news
Qk8d.119482$wV.11272@attbi_s54...
>> You will have to enable auditing of object access on the computer where
>> you want to track object access for folders/files. If you enable in
>> Domain Controller Security Policy it will record only files on domain
>> controller that the user accesses. If you want to enable in on multiple
>> computers you will have to enable it at the domain or Organizational Unit
>> level. Look for event ID's 560 and 562 in the security logs of the
>> computer or domain controller that the user accesses. --- Steve
>>
>>
http://www.microsoft.com/technet/security/guidance/secmod144.mspx --
>> great white paper on auditing
>>
>> "Ketta" <no@post.net> wrote in message
>> news:uoCWgokqEHA.3252@TK2MSFTNGP14.phx.gbl...
>>> Hi,
>>> I enabled auditing through domain controller policy and then set
>>> audit
>>> on success / failures for everything under C:. I only want to audit one
>>> users activity through the entire system when they login to the domain
>>> controller. Nothing shows up in the event log even though it is
>>> enabled. I
>>> have never used auditing before, but it looked pretty straight forward.
>>>
>>> 1. Enable auditing in the policy
>>> 2. Enable auditing on the security tab of choice
>>> 3. Watch the audit logs flow.
>>>
>>> TIA if anyone wants to educate me
>>>
>>> Ketta
>>>
>>>
>>
>>
>
>