Auditing object access



dear all, i want to enable auditing for file/folder on
win2k server (win2k server is acting as a domain
controller and i kept our data on shared volumes on this
server). now what i did is: local security policy doesnt
work on DC so i enabled "object access - SUCCESS/FAILURE"
auditing on one folder (read, write and delete auditing)
for test purpose but the problem here is that it is
generating thousand of security logs (event ID 560 & 562)
within 10 mins. I disabled doamin controller security
policy and enable group policy found under AD USERS &
COMPUTERS but found the same result. one more thing that
effective policy on local security policy is changing
according to the group policy so where m i doing wrong ?

Steven L Umbach

Local Security Policy will be overridden by Domain/OU/or Domain Controller Security
Policy [for domain controllers only] as shown by effective permissions being
different that local.

Enabling auditing on folders will generate tons of events. To minimize the events,
audit the bare number of needed folders, for the bare number of needed users, and for
the bare number of needed permissions. Avoid auditing the everyone/users group, using
a specific group instead, and audit only what permission you want to track. If you
simply want to see who accessed a file just audit the read permission. If you want to
see who deletes a file, just audit the delete permission. -- Steve

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question