How do I log changes to folder and files on the server in Windows 2008?

I have configured my server to audit object access (domain users - successful - create files/folders, delete sub-folders, delete) and configured my default domain controllers policy to audit object and directory service access (success) yet there are no entries on the security event for object access when any of these events occur.



I have just answered this exact question by someone else yesterday. See the PAQ at the link below for your answer.
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2012/Q_28668241.html

Will.



I have just answered this exact question by someone else yesterday. See the PAQ at the link below for your answer.
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2012/Q_28668241.html

Will.



Thanks Will, what is it in your answer that I have not already done? I am afraid I do not see.



what is it in your answer that I have not already done? I am afraid I do not see.

Only you can answer that. Personally this is not difficult to setup, so what i think might have happened is there might have been a missed step. Did you follow the complete tutorial to ensure that no steps were missed?

Will.



Unfortunately this article is not specific enough for my needs - it does not tell me which policy to modify.
As stated, I had already configured this for my domain controllers policy, this article suggests doing it on the default domain policy, so I have configured "Audit Object Access = Success" on this.
In your referred article it gives a 5 step process. But not all the steps appear in the article, plus it seems incomplete, for instance. It states
Enabling Object Auditing
If audit access to objects is chosen as part of the audit policy, either the audit directory service access category (for auditing objects on a domain controller), or the audit object access category (for auditing objects on a member server) must be also turned on. WHERE/HOW? Once the correct object access category has been turned on, each individual object's Properties can be used to specify whether to audit successes or failures for the specific access request to each group or user.


Step 3.
Configure the Event Log
- does not exists.

Remember, I have already -

1. Enabled the correct policy
2. Enabled auditing on the shared folder to audit successful (see attached)



Does this setting work on any other servers on your network? when you are looking in the Security Logs are you filtering on the correct events?

The link below outlines different types of events to filter on.
http://blogs.technet.com/b/mspfe/archive/2013/08/27/auditing-file-access-on-file-servers.aspx

Also have you seen the below article.
http://blogs.technet.com/b/mspfe/archive/2013/08/27/auditing-file-access-on-file-servers.aspx

Will.

Share this

Related Posts

There was an error in this gadget