none
auditing policy for certain folders

Answers

  • Hi Azker,

    There's not much that can be added to Ned's article, as it's quite thorough - as Ned is inclined to be.

    The key points are:

    1. Make sure you have enabled Audit object access in Group Policy (either local or domain is fine).
    2. Configure the auditing requirements on the file server as shown at the start of the article, though keep in mind you can select as many of those auditing events shown in "Access options" as you like.
    3. Check the Security event log on that server for events in the 4xxx or 5xxx category as outlined in the Server 2008 section (not the Server 2003 section as you've alluded to above with the 560 event id).

    So long as the auditing policy has been enabled (point 1) and the auditing "permissions" (point 2) have been set, it should work just fine.

    Cheers,
    Lain

    Tuesday, March 19, 2013 2:43 PM
  • Before audit records are logged, an auditing policy must be established. The policy defines the types of events that will be audited for a specific user or group of users. However, enabling the auditing policy is only part of the work associated with setting up auditing

    Check the technet Article for tracking & controlling critical changes made in AD

    http://gallery.technet.microsoft.com/Tracking-Controlling-4dafc8a2

    Wednesday, March 20, 2013 12:15 PM

All replies

  • Hi Azker,

    There's not much that can be added to Ned's article, as it's quite thorough - as Ned is inclined to be.

    The key points are:

    1. Make sure you have enabled Audit object access in Group Policy (either local or domain is fine).
    2. Configure the auditing requirements on the file server as shown at the start of the article, though keep in mind you can select as many of those auditing events shown in "Access options" as you like.
    3. Check the Security event log on that server for events in the 4xxx or 5xxx category as outlined in the Server 2008 section (not the Server 2003 section as you've alluded to above with the 560 event id).

    So long as the auditing policy has been enabled (point 1) and the auditing "permissions" (point 2) have been set, it should work just fine.

    Cheers,
    Lain

    Tuesday, March 19, 2013 2:43 PM
  • Before audit records are logged, an auditing policy must be established. The policy defines the types of events that will be audited for a specific user or group of users. However, enabling the auditing policy is only part of the work associated with setting up auditing

    Check the technet Article for tracking & controlling critical changes made in AD

    http://gallery.technet.microsoft.com/Tracking-Controlling-4dafc8a2

    Wednesday, March 20, 2013 12:15 PM