Cannot see audit events in security log

[Frank Thynne]

My client has a stand-alone Windows 2000 Professional computer. We are
trying to establish auditing on a folder and its contents. We have
turned on auditing in local policy and enabled success and failure
auditing on objects. In the advanced section of the security
properties of the folder we have set auditing for the Everyone group
and specified that the property will be propagated to files and
folders contained in it. We have verified that the property is
inherited by a file copied into the folder.

After doing those things, and accessing a file in the audited folder,
we do not see anything relevant in the Security Event Log. I must be
missing something obvious, but I do not know what it is! Can anyone
advise?

 

[Steven L Umbach]

If you enabled auditing of object access then you should see events in the
security log. Look for event ID's such as 560 and 562. Be sure to increase
the size of the security log quite a bit and clear the log first. Note that
if the security log is configured to not override events that the log will
not add any more events until it is manually cleared. --- Steve

 

[Frank Thynne]

Steven, thanks for responding.

I have meanwhile carried out similar tests on another PC and found
that everything worked as I expected, and I could indeed find 560 and
562 events in the security log - but it still isn't working in the
problem PC. The only significant differences that I can think of are:

1. the problem PC is standalone while the working one is a member of a
Windows domain, and

2. the problem PC was originally set up with a FAT file system (not by
me!) and I did not notice that it wasn't NTFS until after I enabled
auditing.

I tried turning auditing off and on again after converting to NTFS in
case the setting had not been effective while the file system was FAT,
but it made no difference.

 

[Steven L Umbach]

If auditing of object access for success and failure has been enabled in the
Local Security Policy [secpol.msc] on that computer and auditing has been
enabled for the proper folder, normally security events for object access
should be recorded in the security log after trying to access the folder as
a user that has auditing enabled for. If you have not done such try clearing
the security log and rebooting the computer that is giving you problems
verifying that auditing is still enabled for object access in Local Security
Policy. I can't think of much else to try offhand. --- Steve