Sign in with
Sign up | Sign in
Your question

Auditing file changes does not works

Last response: in Windows 2000/NT
Share
Anonymous
a b 8 Security
October 21, 2004 3:54:43 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi all,

I have a folder shared with full permisions enabled for a security group.
The folder is located on the domain controller. I want to log who modifies,
deletes or adds a file in this folder and subfolders. Then I did the
following way:

First I enabled auditing for this folder:
-Right click of the mouse over the folder, Properties menu/Security
tab/Advanced button/Auditing tab
-Selected the security group I want to audit
-Selected "This folders, subfolders..." from the combo
-Checked the options "Create Files/Write Data", "Create Folders/Append
Data", "Delete Subfolders and Files", "Delete" for both Success and Failure
-The checkbox for "Allow inheritable auditing entries from parent to
propagate..." was enabled

The folder is shared read-only for Everyone, and full for the security group
I want to audit. Security settings on folder are set as default: Everyone,
full access (inherited from C:\ ).

I made some changes to files in the audited folder. Then I opened Event
Viewer / Security and nothing appears.

After that I remembered I should modify the policies on the PC, to allow
auditing. Then I did the following:
-Opened Domain Controller Security Policy
-Opened Windows Settings/Security Settings/Local Policies/Audit Policy
-Enabled "Audit Object Access" and "Audit Privilege Use" for both success
and failure

Then tested again to make some changes on files on the audited folder and
again nothing was logged.

What I'm missing?

Thanks in advance
Faustino

More about : auditing file works

Anonymous
a b 8 Security
October 22, 2004 7:01:33 AM

Archived from groups: microsoft.public.win2000.security (More info?)

You have to enable auditing of object access first in "Domain Controller
Security" policy before folder auditing will work. Then you should see event
ID's 560 and 562 appearing in the security log. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;300549 -- how to
enable auditing.

"Faustino Dina" <ffdina@matusa.com.mx> wrote in message
news:o 3LSh24tEHA.2956@TK2MSFTNGP12.phx.gbl...
> Hi all,
>
> I have a folder shared with full permisions enabled for a security group.
> The folder is located on the domain controller. I want to log who
> modifies,
> deletes or adds a file in this folder and subfolders. Then I did the
> following way:
>
> First I enabled auditing for this folder:
> -Right click of the mouse over the folder, Properties menu/Security
> tab/Advanced button/Auditing tab
> -Selected the security group I want to audit
> -Selected "This folders, subfolders..." from the combo
> -Checked the options "Create Files/Write Data", "Create Folders/Append
> Data", "Delete Subfolders and Files", "Delete" for both Success and
> Failure
> -The checkbox for "Allow inheritable auditing entries from parent to
> propagate..." was enabled
>
> The folder is shared read-only for Everyone, and full for the security
> group
> I want to audit. Security settings on folder are set as default: Everyone,
> full access (inherited from C:\ ).
>
> I made some changes to files in the audited folder. Then I opened Event
> Viewer / Security and nothing appears.
>
> After that I remembered I should modify the policies on the PC, to allow
> auditing. Then I did the following:
> -Opened Domain Controller Security Policy
> -Opened Windows Settings/Security Settings/Local Policies/Audit Policy
> -Enabled "Audit Object Access" and "Audit Privilege Use" for both success
> and failure
>
> Then tested again to make some changes on files on the audited folder and
> again nothing was logged.
>
> What I'm missing?
>
> Thanks in advance
> Faustino
>
>
!