File access auditing

[Jordon]

Server 2000 SP4 running AD.

I have read many posts about how to log file and folder
access, but it doesn't seem to work. I've enabled auditing
of object access in a group policy on the domain controller.
I've changed the properties of the folder to be audited and
added the groups to audit and what's to be audited.

Nothing shows up in the security event viewer when files
are accessed, changed, added or deleted.

It's got to be something I've overlooked.

Can anyone steer me in the right direction?

--
Jordon

 

[Meinolf Weber]

Re: File access auditing

Hello Jordon

Please describe what you have configured on which server, which policy and
where the policy is linked to and on which machine you search for the event
entries. Please in detail so that we can follow your thoughts.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> Server 2000 SP4 running AD.
>
> I have read many posts about how to log file and folder access, but it
> doesn't seem to work. I've enabled auditing of object access in a
> group policy on the domain controller. I've changed the properties of
> the folder to be audited and added the groups to audit and what's to
> be audited.
>
> Nothing shows up in the security event viewer when files are accessed,
> changed, added or deleted.
>
> It's got to be something I've overlooked.
>
> Can anyone steer me in the right direction?
>

 

[Jordon]

Re: File access auditing


I configured the group policy on the domain controller under
Windows Settings/Security Settings/Local Policies/Audit Policy/
Audit object access (success and failure).

Then I navigated to a folder on the file server (different
computer, but part of the domain) and under Properties/
Security/Advanced/Auditing I created a new policy to audit
domain users for List Folder / Read Data, Create Folders /
Append Data, Delete and Delete sub Folders and Files.

When that didn't work I turned on object access auditing on
the file server under the local policy and that seemed to do
the trick.

Why wouldn't a domain policy work? And what would it be for?

--
Jordon

Meinolf Weber wrote:
> Hello Jordon
>
> Please describe what you have configured on which server, which policy
> and where the policy is linked to and on which machine you search for
> the event entries. Please in detail so that we can follow your thoughts.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>> Server 2000 SP4 running AD.
>>
>> I have read many posts about how to log file and folder access, but it
>> doesn't seem to work. I've enabled auditing of object access in a
>> group policy on the domain controller. I've changed the properties of
>> the folder to be audited and added the groups to audit and what's to
>> be audited.
>>
>> Nothing shows up in the security event viewer when files are accessed,
>> changed, added or deleted.

 

[Dave Austin]

File access auditing

Same here, Jordan. Did exactly as you did, per MS tech bulletin instructions et. al, but it did not work either.

Lots of replies here about this, huh?

If you do come up with anything on it, please let me know. I'll reciprocate.

- Dave