2012年4月30日 下午 07:57
I would have thought this would be way easier, but I'm really stumped setting up audting on a 2008R2 file server. I first tried turning on the old Audit Policy for object access and got flooded with logs. I found a few posts about going into the new Advanced Audit Policy Configuration. So right now I have the Local Policies - Audit Policy - Audit object access turned off. Advanced Audit Policy Configuration - Object Access - Audit File System turned on for success and failure. I have the share setup to audit the Everyone group for deletion of files and folders and replaced the permissions all the way down the tree. When I map the share from a client computer and delete files or folders no logs are created. Is there a service I have to restart to make this work or do I have something misconfigured? If I run auditpol /get /category"ObjectAccess" it correctly shows File System (success and failsure) and the others ones off. Any help would be appreciated.
2012年5月1日 下午 04:49Just wanted to send a quick update on this issue. It appears to be related to how Inheritance works when auditing a folder. When i set auditing at the top level of a share and apply it to this folder, subfolder, and files it only seems to apply to literally the subfolder and the files in the root of this folder. It does not apply to files in those subfolders. Anyone know if this is by design? It seems to really complicate auditing an entire share as most have 3 or 4 levels of folders.
2012年5月2日 上午 08:44版主
If you use Advanced Audit Policy Configuration settings, you should enable the Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings policy setting under Local Policies\Security Options. This will prevent conflicts between similar settings by forcing basic security auditing to be ignored.
What is the interaction between basic audit policy settings and advanced audit policy settings?
Advanced Security Audit Policy Step-by-Step Guide
In addition, please refer the following link to verify the audit setting: Replace all existing inheritable auditing entries on all descendants with inheritable auditing entries from this object and Include inheritable auditing entries from this object's parent
Advanced Security Settings Properties Page - Auditing Tab
Hope this helps!
TechNet Community Support