Auditing

C

Carl Hilton

I have a server with user files and the permissions on the folders keep
getting changed. I turned on Auditing for CHANGE PERMISSONS SUCCESS but can
see nothing in the SECURITY log... THis is on a W2K SERVER... Do I need to
reboot the server for the auditing to take effect? What is the EVENT ID I
should be looking for?

Thanks
Carl
 
S

Steven L Umbach

Hi Carl.

Make sure that you enable auditing of object access on your server first. This is
done in the appropriate security policy which could be local or domain/OU for domain
members and Dolman Controller Security Policy for domain controllers. You want to
make sure that the effective settings is configured the way that you want which takes
into account GPO that can override local policy. You should not have to reboot and
using secedit /refreshpolicy machine_policy enforce will speed up application of
security policy. Event ID's 560 and 562 will contain information for object access.
The link below explains in more detail. Be sure to audit only permissions you want to
track for users you want to track [avoid everyone and users] to keep the number of
events in the security log lower which will still be very substantial.--- Steve

http://www.microsoft.com/technet/security/guidance/secmod144.mspx
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

File auditing not working properly 1
Auditing folder access 1
Auditing / Event Log Entries... 4
Object auditing: event log doesn't show which object is being audi 2
Auditing logon and logoff isn't getting into Security log 3
Auditing some shared folders 3
Cannot see audit events in security log 3
Event Viewer stopped logging security audit 1

Top