Accedi
 
HomeLibraryRisorseFormazioneDownloadSupportoCommunityForumBlog
Risorse per professionisti IT >
Help with auditing of deleted files - 2008R2

답변됨 Help with auditing of deleted files - 2008R2

  • lunedì 30 aprile 2012 19:57
     
     
    Registrati per votare
    0

    I would have thought this would be way easier, but I'm really stumped setting up audting on a 2008R2 file server.  I first tried turning on the old Audit Policy for object access and got flooded with logs.  I found a few posts about going into the new Advanced Audit Policy Configuration.  So right now I have the Local Policies - Audit Policy - Audit object access turned off.  Advanced Audit Policy Configuration - Object Access - Audit File System turned on for success and failure.  I have the share setup to audit the Everyone group for deletion of files and folders and replaced the permissions all the way down the tree.  When I map the share from a client computer and delete files or folders no logs are created.  Is there a service I have to restart to make this work or do I have something misconfigured?  If I run auditpol /get /category"ObjectAccess" it correctly shows File System (success and failsure) and the others ones off.  Any help would be appreciated.

    Mike

     

Tutte le risposte

  • martedì 1 maggio 2012 16:49
     
     
    Registrati per votare
    0
    Just wanted to send a quick update on this issue.  It appears to be related to how Inheritance works when auditing a folder.  When i set auditing at the top level of a share and apply it to this folder, subfolder, and files it only seems to apply to literally the subfolder and the files in the root of this folder.  It does not apply to files in those subfolders.  Anyone know if this is by design?  It seems to really complicate auditing an entire share as most have 3 or 4 levels of folders.
     
  • mercoledì 2 maggio 2012 08:44
    Moderatore
     
     Con risposta
    Registrati per votare
    0

    Hi,

    If you use Advanced Audit Policy Configuration settings, you should enable the Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings policy setting under Local Policies\Security Options. This will prevent conflicts between similar settings by forcing basic security auditing to be ignored.

    For details:

    What is the interaction between basic audit policy settings and advanced audit policy settings?

    http://technet.microsoft.com/en-us/library/ff182311(v=WS.10).aspx#BKMK_3

      

    Advanced Security Audit Policy Step-by-Step Guide

    http://technet.microsoft.com/en-us/library/dd408940(v=WS.10).aspx  

    In addition, please refer the following link to verify the audit setting: Replace all existing inheritable auditing entries on all descendants with inheritable auditing entries from this object and Include inheritable auditing entries from this object's parent

    For details:

    Advanced Security Settings Properties Page - Auditing Tab

    http://technet.microsoft.com/en-us/library/cc753927(v=WS.10).aspx  

    Hope this helps!

    Best Regards

    Elytis Cheng

    Elytis Cheng

    TechNet Community Support