Audit file for failure

Archived from groups: microsoft.public.win2000.security (More info?)

I want to audit logon events and object access (specific files) for success
and failure in a Windows 2000 Domain. I am using Windows XP Pro (SP1) on the
machines and have 24 computers on an Ethernet. I want to know if and when
unauthorized persons are writing to these files. I have the audit policies in
place, rebooted, and then set up auditing on the folder with the files. I
then shared the folder and verified the shared folder and NTFS permissions.
The Security log shows plenty of “successes� but no “failures� when I try to
change the file over the network. It works with both “successes� and
“failures� when I log in as a user on the local machine and try to change the
file. What did I miss to make this work over the network?
--
I'd rather be sailing.

Archived from groups: microsoft.public.win2000.security (More info?)

I have just "read" permission on the shared folder. Will that prevent
auditing on files within the folder?

"Roger Abell [MVP]" wrote:

> "mjnjr" <mjnjr@discussions.microsoft.com> wrote in message
> news:53EC3C3B-411C-43D4-92FC-1462C49790CE@microsoft.com...
> >I want to audit logon events and object access (specific files) for success
> > and failure in a Windows 2000 Domain. I am using Windows XP Pro (SP1) on
> > the
> > machines and have 24 computers on an Ethernet. I want to know if and when
> > unauthorized persons are writing to these files. I have the audit policies
> > in
> > place, rebooted, and then set up auditing on the folder with the files. I
> > then shared the folder and verified the shared folder and NTFS
> > permissions.
> > The Security log shows plenty of "successes" but no "failures" when I try
> > to
> > change the file over the network. It works with both "successes" and
> > "failures" when I log in as a user on the local machine and try to change
> > the
> > file. What did I miss to make this work over the network?
> > --
> > I'd rather be sailing.
>
> The share-level permissions are sufficiently loose so that the attempt
> will get through to the NTFS level failure ??
>
> --
> Roger
>
>
>

Archived from groups: microsoft.public.win2000.security (More info?)

It will not prevent auditing, but it seems reasonable that it
will prevent the redirector from allowing access to the file
at the NTFS level, and there is not sufficient permission to
use the share that way.

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCDBA, MCSE W2k3+W2k+Nt4
"mjnjr" <mjnjr@discussions.microsoft.com> wrote in message
news:A77A4867-2B52-40AE-8BCC-0F6D45140FAF@microsoft.com...
>I have "read" permission on the folder. Will that prevent auditing for
> failure on files within the folder?
>
> "Roger Abell [MVP]" wrote:
>
>> "mjnjr" <mjnjr@discussions.microsoft.com> wrote in message
>> news:53EC3C3B-411C-43D4-92FC-1462C49790CE@microsoft.com...
>> >I want to audit logon events and object access (specific files) for
>> >success
>> > and failure in a Windows 2000 Domain. I am using Windows XP Pro (SP1)
>> > on
>> > the
>> > machines and have 24 computers on an Ethernet. I want to know if and
>> > when
>> > unauthorized persons are writing to these files. I have the audit
>> > policies
>> > in
>> > place, rebooted, and then set up auditing on the folder with the files.
>> > I
>> > then shared the folder and verified the shared folder and NTFS
>> > permissions.
>> > The Security log shows plenty of "successes" but no "failures" when I
>> > try
>> > to
>> > change the file over the network. It works with both "successes" and
>> > "failures" when I log in as a user on the local machine and try to
>> > change
>> > the
>> > file. What did I miss to make this work over the network?
>> > --
>> > I'd rather be sailing.
>>
>> The share-level permissions are sufficiently loose so that the attempt
>> will get through to the NTFS level failure ??
>>
>> --
>> Roger
>>
>>
>>