problems auditing object access

[Andreas Wöckl]

Hi Group!

I have a problem auditing object access of AD users. My problem is not
really that it does not work - my problem is that I have thousends of
entries in the event log of the user "Administrator" or "System" that show
acces to (for example) "c:\windows\system32\mmc.exe" and so on. I do not
really find any entries int the folder "c:\windows\system32\mmc.exe" that
tell the system to audit this folder. I only want to audit a specified
folder like "d:\data" and nothing else - what could I do?

best regards

andreas wöckl

 

[Chris Malone]

You can limit the flood of events that result from OA Auditing by
removing audit entries from system folders, the AD config head, etc.
but even after doing so, you will still end up with some events that
are sourced from 'SYSTEM'. Unfortunately, these are fairly hardwired
into the source code and there is just no way to get rid of them all.

Chris Malone

 

[Andreas Wöckl]

Hi Chris!

Thanks for your answer - do you know a better solution to monitor who
deletes files?

best regards

andy

 

[Chris Malone]

There might be a 3rd-party product out there that performs auditing,
but Microsoft auditing is fairly efficient, provided you keep the
auditing entries limited and manage the security logs appropriately.

Chris