Jay,
Check out KB 301640
http://support.microsoft.com/?id=301640. This should
walk you through the steps to enable auditing.
File auditing must be set at 2 places First you need to enable the audit
policy, this can be done either from any policy (local or domain) as long
as the machine that the chosen files sit on applies that GPO.
Then you must also select which specific files or directories that want to
be auditied. Once the policy is enabled and the concerned files/directores
are selected then the events will be audited in the Security event log on
that particular machine.
blim
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| >From: "jay" <
[email protected]>
| >Newsgroups:
alt.certification.mcse,microsoft.public.win2000.active_directory,microsoft.p
ublic.win2000.general,microsoft.public.win2000.security
| >Subject: Turning on auditing ?
| >Lines: 12
| >X-Priority: 3
| >X-MSMail-Priority: Normal
| >X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| >X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| >Message-ID: <
[email protected]>
| >Date: Thu, 04 Dec 2003 06:19:51 GMT
| >NNTP-Posting-Host: 67.31.35.166
| >X-Complaints-To: (e-mail address removed)
| >X-Trace: newsread1.news.atl.earthlink.net 1070518791 67.31.35.166 (Wed,
03 Dec 2003 22:19:51 PST)
| >NNTP-Posting-Date: Wed, 03 Dec 2003 22:19:51 PST
| >Organization: EarthLink Inc. --
http://www.EarthLink.net
| >Path:
cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.su
l.t-online.de!t-online.de!news.tele.dk!news.tele.dk!small.news.tele.dk!news-
out.visi.com!petbe.visi.com!newsfeeds-atl2!news.webusenet.com!elnk-atl-nf1!n
ewsfeed.earthlink.net!stamper.news.atl.earthlink.net!newsread1.news.atl.eart
hlink.net.POSTED!c251f72d!not-for-mail
| >Xref: cpmsftngxa07.phx.gbl microsoft.public.win2000.general:100001
microsoft.public.win2000.security:16963
microsoft.public.win2000.active_directory:58131
| >X-Tomcat-NG: microsoft.public.win2000.security
| >
| >Let's say we're concerned about who's accessing or deleting files on a
file
| >server in an AD environment.
| >
| >How would you go about enabling auditing so only such events would be
| >audited?
| >
| >Also, would you do it (auditing) at the server level, or domain level?
| >
| >
| >Thanks in advance.
| >
| >
| >