Auditing file changes does not works

Archived from groups: microsoft.public.win2000.security (More info?)

Hi all,

I have a folder shared with full permisions enabled for a security group.
The folder is located on the domain controller. I want to log who modifies,
deletes or adds a file in this folder and subfolders. Then I did the
following way:

First I enabled auditing for this folder:
-Right click of the mouse over the folder, Properties menu/Security
tab/Advanced button/Auditing tab
-Selected the security group I want to audit
-Selected "This folders, subfolders..." from the combo
-Checked the options "Create Files/Write Data", "Create Folders/Append
Data", "Delete Subfolders and Files", "Delete" for both Success and Failure
-The checkbox for "Allow inheritable auditing entries from parent to
propagate..." was enabled

The folder is shared read-only for Everyone, and full for the security group
I want to audit. Security settings on folder are set as default: Everyone,
full access (inherited from C:\ ).

I made some changes to files in the audited folder. Then I opened Event
Viewer / Security and nothing appears.

After that I remembered I should modify the policies on the PC, to allow
auditing. Then I did the following:
-Opened Domain Controller Security Policy
-Opened Windows Settings/Security Settings/Local Policies/Audit Policy
-Enabled "Audit Object Access" and "Audit Privilege Use" for both success
and failure

Then tested again to make some changes on files on the audited folder and
again nothing was logged.

What I'm missing?

Thanks in advance
Faustino
1 answer Last reply
More about auditing file works
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    You have to enable auditing of object access first in "Domain Controller
    Security" policy before folder auditing will work. Then you should see event
    ID's 560 and 562 appearing in the security log. --- Steve

    http://support.microsoft.com/default.aspx?scid=kb;en-us;300549 -- how to
    enable auditing.

    "Faustino Dina" <ffdina@matusa.com.mx> wrote in message
    news:O3LSh24tEHA.2956@TK2MSFTNGP12.phx.gbl...
    > Hi all,
    >
    > I have a folder shared with full permisions enabled for a security group.
    > The folder is located on the domain controller. I want to log who
    > modifies,
    > deletes or adds a file in this folder and subfolders. Then I did the
    > following way:
    >
    > First I enabled auditing for this folder:
    > -Right click of the mouse over the folder, Properties menu/Security
    > tab/Advanced button/Auditing tab
    > -Selected the security group I want to audit
    > -Selected "This folders, subfolders..." from the combo
    > -Checked the options "Create Files/Write Data", "Create Folders/Append
    > Data", "Delete Subfolders and Files", "Delete" for both Success and
    > Failure
    > -The checkbox for "Allow inheritable auditing entries from parent to
    > propagate..." was enabled
    >
    > The folder is shared read-only for Everyone, and full for the security
    > group
    > I want to audit. Security settings on folder are set as default: Everyone,
    > full access (inherited from C:\ ).
    >
    > I made some changes to files in the audited folder. Then I opened Event
    > Viewer / Security and nothing appears.
    >
    > After that I remembered I should modify the policies on the PC, to allow
    > auditing. Then I did the following:
    > -Opened Domain Controller Security Policy
    > -Opened Windows Settings/Security Settings/Local Policies/Audit Policy
    > -Enabled "Audit Object Access" and "Audit Privilege Use" for both success
    > and failure
    >
    > Then tested again to make some changes on files on the audited folder and
    > again nothing was logged.
    >
    > What I'm missing?
    >
    > Thanks in advance
    > Faustino
    >
    >
Ask a new question

Read More

Security Domain Controller Microsoft Windows