登入
 
首頁文件庫學習園地下載支援社群論壇
IT 專業人員的技術資源 >
Help with auditing of deleted files - 2008R2

Answered Help with auditing of deleted files - 2008R2

  • 2012年4月30日 下午 07:57
     
     
    登入以投票
    0

    I would have thought this would be way easier, but I'm really stumped setting up audting on a 2008R2 file server.  I first tried turning on the old Audit Policy for object access and got flooded with logs.  I found a few posts about going into the new Advanced Audit Policy Configuration.  So right now I have the Local Policies - Audit Policy - Audit object access turned off.  Advanced Audit Policy Configuration - Object Access - Audit File System turned on for success and failure.  I have the share setup to audit the Everyone group for deletion of files and folders and replaced the permissions all the way down the tree.  When I map the share from a client computer and delete files or folders no logs are created.  Is there a service I have to restart to make this work or do I have something misconfigured?  If I run auditpol /get /category"ObjectAccess" it correctly shows File System (success and failsure) and the others ones off.  Any help would be appreciated.

    Mike

     

所有回覆

  • 2012年5月1日 下午 04:49
     
     
    登入以投票
    0
    Just wanted to send a quick update on this issue.  It appears to be related to how Inheritance works when auditing a folder.  When i set auditing at the top level of a share and apply it to this folder, subfolder, and files it only seems to apply to literally the subfolder and the files in the root of this folder.  It does not apply to files in those subfolders.  Anyone know if this is by design?  It seems to really complicate auditing an entire share as most have 3 or 4 levels of folders.
     
  • 2012年5月2日 上午 08:44
    版主
     
     已答覆
    登入以投票
    0

    Hi,

    If you use Advanced Audit Policy Configuration settings, you should enable the Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings policy setting under Local Policies\Security Options. This will prevent conflicts between similar settings by forcing basic security auditing to be ignored.

    For details:

    What is the interaction between basic audit policy settings and advanced audit policy settings?

    http://technet.microsoft.com/en-us/library/ff182311(v=WS.10).aspx#BKMK_3

      

    Advanced Security Audit Policy Step-by-Step Guide

    http://technet.microsoft.com/en-us/library/dd408940(v=WS.10).aspx  

    In addition, please refer the following link to verify the audit setting: Replace all existing inheritable auditing entries on all descendants with inheritable auditing entries from this object and Include inheritable auditing entries from this object's parent

    For details:

    Advanced Security Settings Properties Page - Auditing Tab

    http://technet.microsoft.com/en-us/library/cc753927(v=WS.10).aspx  

    Hope this helps!

    Best Regards

    Elytis Cheng

    Elytis Cheng

    TechNet Community Support