File Auditing



On Windows 2000 Server with SP4,

I have
1) set up for C:\ D:\ file auditing for Everyone for file delete/write.
2) On Security Policy, set Audit of Object Access to Success and Failure

1) Even though I have NOT selected under file/directory properties->Audit->
audiiting of successful file read (without write), object handle open/close
of any files are audited when Security Policy is set to audit *successful*
object access-> I don't want to audit absolutely every single file
2) When Audit Policy is set to only audit Failure to object access, then no
successful file deletes/writes are audited at all!!

Roger Abell

In order to assist you need to tell us exactly what you have
enabled in the Auditing SACL, including the "Applies onto"
dropbox selection (which is likely where your mistake is).

Steven L Umbach

The nature of auditing of object access is that there will be many seemingly
unrelated events recorded in the security log. Try not to audit users and everyone
but instead create a global group or local groups of users you want to audit. Then
avoid auditing a whole drive but instead audit only critical folders. If possible
avoid auditing write or you will continue to large amounts in the security log. For
instance if this is a computer using the internet, a user will write thousands of
files to his temporary internet files in a short period of time. --- Steve

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Auditing file changes does not works 1
Object access 2
Auditing ? 1
Question on Audit Policy 1
Audit Policy 4
Auditing / Event Log Entries... 4
Auditing file deletions only 3
auditing logon failures 1