Effect of auditing SYSVOL directory?




Our auditors have asked us to audit the WINNT directory, and inside it is
the SYSVOL directory. I added the auditing of "Administrators/Full Control"
auditing. I got a 13567 as it was chugging through changing all the
auditing entries on all the policy files and experienced a temporary
replication storm. Something that was very interesting that I noticed
afterwards was that the auditing on that folder, found its way onto other
domain controllers in which the SYSVOL was on a different drive and thus not
set for auditing. I believe this was done as a result of DFS, if the
auditing settings were set on one, those auditing settings were replicated
via DFS to the files and folders of the SYSVOL on all domain controllers.

I have not actually enabled the policy for object access auditing. I'm
concerned about turning it on. I'm worried that auditing the SYSVOL may
cause File Replication to go crazy, and that AD would stop authenticating
people. I'm not auditing the Everyone group (thankfully) only the
Administrators group. But I was wondering if someone could perhaps provide
some insight on this. Should I enable object access auditing on the local
secpol of one DC? should I remove the auditing of the SYSVOL and brave the
temporary FRS storm so that when auditing policy is turned on it will be a
non-issue, or should I do nothing?

Any insight on this issue would be most appreciated.

Ryan Hanisco


You might want to take a look at the following article:


While this doesn't directly address your question, it certainly sets a
precedent for auditing the SYSVOL folder in a production environment. I
would, however, be careful of the detail to which you audit as you don't
want to overload your servers or log files.

Does anyone else have any input here?

Ryan Hanisco

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads