file auditing not working

[zooeyhall]

I am trying to get file auditing working on my server. I
am a member of the domain admins group. I have enabled
file auditing on a test folder, and have told it to audit
for events such as deleting and creating, and associated
with my account. I have done some test writes and deletes
on the audited folder, but no events are being logged to
the server's security log. Is there something simple that
I am overlooking in getting this to work? Thanks so much
for any advice!

 

[Steven L Umbach]

You need to enable auditing of object access first in the appropriate
security policy - local/domain/OU.. --- Steve

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/519.mspx
--- audit object access.

 

[GX]

let's take this from this simple Audit I was able to do and after hours of
trial and error it worked for me.
My boss asked to audit folder to make sure that only authorized people goes
into those folders and if someone tries to get in we can get alerted.

So I did this test, try it and I hope it works for you...

Step 1 - On the server Setup the Folder, Audit and NTFS Permission.
1. Create a folder (TESTAUDIT)and place some text files inside of it.
2. Go to the Properties of TESTAUDIT>RC>properties>Security>Click
Advanced>Select Auditing Tab>Click Add>Select the EVERYONE group>Click
OK>Now Click View/Edit>Select the "Failed" box on List Folder / Read
Data>Click OK>Click OK>Click Add>Select Domain Admins (Remove Everyone if
you have it there, you should be on the Security tab)>Click OK>Go to the
Sharing tab>share it as...I dunno...TESTAUDIT...Click Apply & OK

Now you should have access to this folder from the network, good! Now, the
rest...

Is this a member server or a DC? member server takes 90 minutes for the GPO
replication, DC's takes 5 minutes...unless you force it...so I would use a
DC.

So, go to your Start>Programs>Admin Tools>Local Security Policies>Security
Settings>Local Policies>Audit Policy.
Compare your Local vs. Effective. Do you have Audit Object Access enable?
Where? Local or on the GPO? Well make sure that the path for this directory
is under the "Default Domain Policy>Computer Configuration>Windows
Settings>Security Settings>File System>RC>Add
File>\\servername\shareddirectory\"

No GPO? So do you have it on the Local? kewl...if you dontt have it you will
need to get this going...let's asume you have it and move on.

Now, create another user "testuser1" and login as that user in another PC,
try to access the shared directory you did earlier and you will get a BIG
DENIED...Now go to the station you are logged in with the Domain Admin
account and check the Security Event viewer of the machine you setup the
folder and look for the one that says "Object something" Failure....you
shoudl be able to see an event made from the testuser1. Now you can modify
this to whetever you want...good luck because it is a pain.

Hope it works for you...

GX