Auditing object access

[Aatmaram]

dear all, i want to enable auditing for file/folder on
win2k server (win2k server is acting as a domain
controller and i kept our data on shared volumes on this
server). now what i did is: local security policy doesnt
work on DC so i enabled "object access - SUCCESS/FAILURE"
found uder DOMAIN CONTROLLER SECURITY POLICY and enabled
auditing on one folder (read, write and delete auditing)
for test purpose but the problem here is that it is
generating thousand of security logs (event ID 560 & 562)
within 10 mins. I disabled doamin controller security
policy and enable group policy found under AD USERS &
COMPUTERS but found the same result. one more thing that
effective policy on local security policy is changing
according to the group policy so where m i doing wrong ?

 

[Steven L Umbach]

Local Security Policy will be overridden by Domain/OU/or Domain Controller Security
Policy [for domain controllers only] as shown by effective permissions being
different that local.

Enabling auditing on folders will generate tons of events. To minimize the events,
audit the bare number of needed folders, for the bare number of needed users, and for
the bare number of needed permissions. Avoid auditing the everyone/users group, using
a specific group instead, and audit only what permission you want to track. If you
simply want to see who accessed a file just audit the read permission. If you want to
see who deletes a file, just audit the delete permission. -- Steve