Turning on auditing ?

J

jay

Let's say we're concerned about who's accessing or deleting files on a file
server in an AD environment.

How would you go about enabling auditing so only such events would be
audited?

Also, would you do it (auditing) at the server level, or domain level?


Thanks in advance.
 
B

Ben [MSFT]

Jay,

Check out KB 301640 http://support.microsoft.com/?id=301640. This should
walk you through the steps to enable auditing.

File auditing must be set at 2 places First you need to enable the audit
policy, this can be done either from any policy (local or domain) as long
as the machine that the chosen files sit on applies that GPO.

Then you must also select which specific files or directories that want to
be auditied. Once the policy is enabled and the concerned files/directores
are selected then the events will be audited in the Security event log on
that particular machine.

blim
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| >From: "jay" <[email protected]>
| >Newsgroups:
alt.certification.mcse,microsoft.public.win2000.active_directory,microsoft.p
ublic.win2000.general,microsoft.public.win2000.security
| >Subject: Turning on auditing ?
| >Lines: 12
| >X-Priority: 3
| >X-MSMail-Priority: Normal
| >X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| >X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| >Message-ID: <[email protected]>
| >Date: Thu, 04 Dec 2003 06:19:51 GMT
| >NNTP-Posting-Host: 67.31.35.166
| >X-Complaints-To: (e-mail address removed)
| >X-Trace: newsread1.news.atl.earthlink.net 1070518791 67.31.35.166 (Wed,
03 Dec 2003 22:19:51 PST)
| >NNTP-Posting-Date: Wed, 03 Dec 2003 22:19:51 PST
| >Organization: EarthLink Inc. -- http://www.EarthLink.net
| >Path:
cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.su
l.t-online.de!t-online.de!news.tele.dk!news.tele.dk!small.news.tele.dk!news-
out.visi.com!petbe.visi.com!newsfeeds-atl2!news.webusenet.com!elnk-atl-nf1!n
ewsfeed.earthlink.net!stamper.news.atl.earthlink.net!newsread1.news.atl.eart
hlink.net.POSTED!c251f72d!not-for-mail
| >Xref: cpmsftngxa07.phx.gbl microsoft.public.win2000.general:100001
microsoft.public.win2000.security:16963
microsoft.public.win2000.active_directory:58131
| >X-Tomcat-NG: microsoft.public.win2000.security
| >
| >Let's say we're concerned about who's accessing or deleting files on a
file
| >server in an AD environment.
| >
| >How would you go about enabling auditing so only such events would be
| >audited?
| >
| >Also, would you do it (auditing) at the server level, or domain level?
| >
| >
| >Thanks in advance.
| >
| >
| >
 
T

Tim Hines [MSFT]

Auditing is enabled by group policies. It can be set at a domain level or
on a server in the local policy. The following articles will walk you
through this.

300549 HOW TO: Enable and Apply Security Auditing in Windows 2000
http://support.microsoft.com/?id=300549
301640 HOW TO: Set, View, Change, or Remove Auditing for a File or Folder in
http://support.microsoft.com/?id=301640


--
Tim Hines, MCSE, MCSA
Windows 2000 Directory Services

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

file auditing not working 2
Object auditing: event log doesn't show which object is being audi 2
File auditing not working properly 1
Authentication Auditing 5
Auditing file changes does not works 1
Folder level auditing.. 1
Auditing logon and logoff isn't getting into Security log 3
Effect of auditing SYSVOL directory? 1

Top