Auditing.. We all love it...




I am working at a government site. The security here is really high. I have
to enable auditing for the entire %SystemDrive% on each workstation. That's
the easy part.

I have the auditing configured using a GPO Computer Configurations | Windows
Settings | Security Settings | File System. I have setup a standard set of
NTFS permissions, and I have applied auditing to the entire drive using this
GPO. Now, when I view my security log file I have WAY TOO MANY 'SYSTESM'
audits for object access. Now, object access is what Im trying to audit for
all users, but not for the system. Im mean, who really cares what the system
is doing...

So my question is , how to I audit object access for all users and omit the
system activites from being audited. ???

I have auditing setup to audit anyone in the authenticated users group. If I
change this to say, domain users, will the system object access events leave
my secuirty log?????

Any ideas??? (BTW, Auditing SUCKS!)

Drum on .. .. . . .

Simon Geary

There are a lot of 3rd party products out there that do a better job of
collating security event logs, sounds like one might be useful for you.
These typically allow you to filter out the garbage you don't want to see
and lets you check logs from several servers from the one console. e.g.

Ryan Hanisco

Remember that the system is a security principal too and a consumer of
system resources, thus creating events. You can filter events so you don't
see them. This might be the best way to get what you want.

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question