Logging authentication events and auditing file and folder access are two
different things, from an event capture perspective.
If you set up auditing of login events, policy change, etc., these things
will be captured in the DC event logs. However, if you wish to capture
object access events at the file/folder level, you need to enable auditing
on the file, folder(s), or drive(s) that you wish to monitor. If Windows
captured these types of events for all files and folders as soon as auditing
was enabled at the system level, event logs would either fill up or rotate
out so fast that they'd be worthless.
Enabling auditing at the system level is only half of the process. And you
probably want to be pretty judicious in your use of the second half of that
process.
Jeffrey said:
I have about 70 Win2K Professional machines in a domain with one D.C. I
set the group policy for the domain to log failures for all nine policies as
well as success on account logon events, account management, logon events,
and policy change. "Access is denied" error messages are displayed on the
screen when attempting to access a folder without proper permissions, but
nothing shows up in the event viewer. Any ideas? Thanks.
