none
Auditing in local user policy overwritten

    Question

  • Hi,

    I'm trying to list files that are deleted in certain directories. For this, I've enabled auditing for object access in the local security policy.

    To refine the selection, I've used the auditpol tool to disable most of the non-significant subcategories:

    auditpol /set /subcategory:"Handle Manipulation" /success:disable /failure:disable
    auditpol /set /subcategory:"File System" /success:enable /failure:disable
    auditpol /set /subcategory:"Registry" /success:disable /failure:disable
    auditpol /set /subcategory:"Kernel Object" /success:disable /failure:disable
    auditpol /set /subcategory:"SAM" /success:disable /failure:disable
    auditpol /set /subcategory:"Certification Services" /success:disable /failure:disable
    auditpol /set /subcategory:"Application Generated" /success:disable /failure:disable
    auditpol /set /subcategory:"File Share" /success:disable /failure:disable
    auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure:disable
    auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:disable
    auditpol /set /subcategory:"Other Object Access Events" /success:disable /failure:disable
    auditpol /set /subcategory:"Detailed File Share" /success:disable /failure:disable

    Only File System success should be logged.

    All went well for a while, and I made a filter for the event log to see only events with ID 4656.

    But since recently, the local security policy was set to "No auditing". I've checked, and the only GPO that is being applied to this server, is configured for auditing as "Not defined".

    Now, each time I set the auditing in Local Security Policy to "success" (for object access), all subcategories are enabled. When I run the above lines to refine things a bit, I notice that auditing is set to "no auditing" in the local security policy.

    So I guess I'm a bit stuck right now..


    • Edited by ruben.demey Thursday, September 26, 2013 2:33 PM
    Thursday, September 26, 2013 2:21 PM

Answers

All replies

  • Hi,

    Please run below command to display the current audit policy for all subcategories run:

    auditpol /get /category:*

    To enable the File System subcategory for success and failure:

    AUDITPOL /SET /SUBCATEGORY:"file system" /SUCCESS:ENABLE /FAILURE:ENABLE

    After run the command, recheck current audit policy, if the file system is still not auditted, please restart your computer.

    Regards,

    Yan Li


    Cataleya Li
    TechNet Community Support

    Friday, September 27, 2013 5:24 AM
  • Hi,

    Any update? Please let us know if you would like further assistance.

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Cataleya Li
    TechNet Community Support

    Monday, September 30, 2013 6:31 AM
  • I've followed your instructions, and according to auditpol, file system is now audited for success and failure.

    But when I open the Local Security Policy and check under auditing, nothing's enabled. And thus, deleting files is not being audited. Restarting the server is something I'd really want to avoid, this is a DC.

    Monday, September 30, 2013 7:16 AM
  • Hi,

    As far as I know, on a DC, there is no more local security policy for Windows 2008 and above.

    The audit policy is applied to client computers, and in addition to audit policy, to audit a file, we should also configure files' auditing permissions.

    Please follow the below link:

    http://sogeeky.blogspot.in/2006/07/how-to-audit-and-track-file-deletions.html

    Hope this helps.

    Regards,

    Yan Li

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Cataleya Li
    TechNet Community Support

    Tuesday, October 01, 2013 5:35 AM