Auditing ?




I am configuring an audit policy for my network. Security is pretty tight
here and they are requreing me to audit the entire C: drive for object
access. I am currently auditing the user group 'Authenticated Users' for
Success/Failure on the following:

Create Files / Write Data
Create Folders / Append Data

Now this works as expected, but its also producing object access events with
the username of 'System'.

I do NOT want to audit system events. Is the system part of the
authenticated users group, and if so , what group should i be auditing (on my

I have disable the GPO object to audit system events. Computer
Configurations | Windows Settings | Security Settings | Local Policies |
Audit Policy | Audit System Events is set to "No Auditing". I am doing this
a the domain root and im only a single domain. No connection to any other
domains at all. But im still getting events for object access by the 'system'
account. This is obviusly filling up my security logs rather quickly, and I
dont care what the system is doing.

Anyone know what im doing wrong on this ? How do i get rid of the object
access from the system?


Drum on .. ... . . .

Roger Abell

Authenticated Users contains all accounts, of people and machines, that
use an authentication method to establish a logged on session.
System is the local name for the machine's account.
You should determine what it is you are being asked to audit,
If it is all access, then you should use Everyone.
If it is all access by our people, then you could consider Domain Users
and Administrators (which will exclude local accounts and machines).

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question