audit folder/file delet

E

Edy Werder

Dear all,

I try to audit a folder and its subdirectory for deletion.

The folder is located on a domain controller. I understand I have
first to enable in local security policy, audit policy, audit object
access. After that I go to Windows Explorer, select the folder, right
click it, poperties, security, advanced, auditing, add.

The result I see in the event viewer under security. Basicalyl it
works, but I see a lot of other activity for registry keys, mmc.exe as
soon as I have activate the policy. Is that normal? It quickly files
the audit log. All I want to see there is entries for auditing the
folder.

Best regards
Edy
 
S

Steven L Umbach

Unfortunately you cant stop the "related" events. Your best bet is to increase the
size of the security log and only audit the bare number of permissions for the bare
number of users avoiding the "everyone" group. You can use filter view to narrow down
your search or maybe something like Event Comb from Microsoft. --- Steve
 
B

Bob Qin [MSFT]

Hi Edy,

Thanks for your posting here.

You can specify a filter that limits the type of information that you want
Event Viewer to display. These filters only affect which event log items
are displayed in the viewer.

To filter events:

1. Click Start, point to Programs, point to Administrative Tools, and then
click Event Viewer.

2. In the console tree, right-click the appropriate log file, and then
click Properties.

3. Click the Filter tab.

4. Type the appropriate information that you would like to filter.

5. Click OK.

For more information, please refer to the following article.

Diagnose System Problems with Event Viewer in Microsoft Windows 2000
http://support.microsoft.com/?id=302542

Have a nice day!

Regards,
Bob Qin
Product Support Services
Microsoft Corporation

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
 
E

Edy Werder

Thanks Steven,

Is there any other third party product, which could do the same not
using event viewer and the policy?

Regards
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Auditing file changes does not works 1
Audit Logon Events vs. Audit Account Logon Events 1
Auditing / Event Log Entries... 4
enable folder audit causes a lot of events 560 562 1
Auditing shared folders... 1
Auditing file deletions only 3
Object Access Audit Policy for a Domain 4
Auditing Object success 1

Top