none
Auditing File Access on File Servers with GPO - Not logging any event

    Question

  • Hi Guys,

    Im kind of new in this so I will please ask you some help regarding the Audit Configuration I found in this link:

    http://blogs.technet.com/b/mspfe/archive/2013/08/27/auditing-file-access-on-file-servers.aspx#comments

    So I have done that Audit Configuration but I cant see any 4663 or any other event related with the Audit configuration on the Event Viewer.

    To give you  abetter overview this is my setup and what I've done:

    - I have a lab Domain with one DC, one File Server (that holds the shared folders and files I want audit) both of them are W2008R2 and one Windows7 client computer.

    - I created one GPO with the name 'File Server Audit Policy' with all the configurations mentioned here that is applied to the OU that contains my FileServer - The 'gpresult' command tells me that the only GPOs applied to the FileServer are the 'Default Domain Policy' and the 'File Server Audit Policy'

    - In my FS I have one Folder that I have shared with the name 'Shares' and under it I have 3 folders, Marketing, Finance and IT.

    - As I want audit everything that happens on those 3 folders I create the SACL on 'Shares' for the 'Everyone' group.

    - From the Windows7 client computer, with a regular user account Im able to access the 'Shares' folder (\\FileServer\Shares) and then to the other folders and their files, I do many changes (creations, deletions, modification, etc) but I don get any AuditLog in the Event Viewer, not even one.

    - On the DC and in the FS I get the Logon/Logoff events when I access to the shared files from the client computer but just that no 4663 event.

    Could you guys please bring somelight to this problem that Is driving crazy after almost a week of testing.

    Your help will be greatly appreciated.

    Regards.
    Daniel.

    Monday, December 14, 2015 9:59 PM

Answers

  • Hi Wendy,

    So the problem is half solved now, here is what has been done after a lot of research:

    - The result of "auditpol /get /category:*" on my FS server gave me the Audit Policy configuration on the server that was quite different from the one I had made on the GPO 'File Server Audit Policy'.

    - After doing some research I found the link below that mentioned a related problem but applying policies in different ways, I quote the part that caught my attention:

    "The lack of Object Access auditing is expected: as soon as you start applying Advanced Audit Configuration Policy, legacy policies will be completely ignored. The only way to get a Win7/R2 computer to start using legacy policy is to set the security policy “Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings” to DISABLED. That disables the use of the newer policy type. Then you must clear the existing advanced policy from the machines (auditpol.pol /clear, having a blank audit.csv file, etc). The system isn't optimal, but the intention was never for you to go back."

    http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx

    - As I said the case is different than mine for the different ways the Audit settings have been applied, but there was something in common the configurations I made in my GPO were not being applied so to apply them first I disabled the mentioned security policy (Audit: Force audit policy subcategory...), cleared the existing Advanced Policy from the machine (auditpol /clear), forced the update of the GPO (gpupdate /force),  then I ran again "auditpol /get /category:*" and now the result was clean, all the Audit setting appeared as "No Auditing".

    - After that I had a server with no Auditing Policy (remember the GPO 'File Server Audit Policy' is linked to the OU that contains my FS server at all times). So I enabled again the security policy I had disabled previously and forced again the update of the GPO, I though that then the machine would get the Audit configurations of the last GPO applied, which was my 'File Server Audit Policy' GPO, but surprisingly when I ran again"auditpol /get /category:*" the result was still clean, all the Audit setting appeared as "No Auditing". Pretty discouraging at that moment eh?

    - Well I continued with some research and I found this below other link with 3 steps to fix the problem. I quote his solution for the problem: (I would add a fourth step to run again "gpupdate /force" though)

    "I solved it by the following procedure:

    • Set every advanced audit configuration item to "Not configured"
    • Run gpupdate /force on the relevant systems
    • Re-set all advanced audit configuration according to your requirements

    I have created the failing GPO from a template which already had set the advanced audit settings. I guess there was an internal mismatch of the GUIDs..."

    http://serverfault.com/questions/617713/advanced-audit-policy-not-getting-applied-on-2012-r2

    - Notice that the changes of the Advanced Audit Configuration Items has to be done with the GPO (In my case my GPO File Server Audit Policy'). So I did those 4 steps and I ran again "auditpol /get /category:*" and now all the configurations I had set in my GPO were applied to the server ... yayyyyyyyyyy!!!

    Hope this helps to anyone is having the same problem.

    But now I have another problem that maybe you can help me with Wendy. Now that the Advanced Audit Configurations are applied on my FS server through GPO, I can see the logs for the "Object Access: File System" configuration in the Event Viewer (Event 4663) but I can NOT see yet any log for "Object Access: File Share" configuration (Event 5145) even though both of them have been enabled to Audit "Success"

    Do you have any idea why I'm not getting any 5145 Event?

    Thanks so much for your help in advance, it will be greatly appreciated.

    Regards.

    Daniel.


    DW.

    • Marked as answer by DanielW-IT Thursday, December 17, 2015 4:43 PM
    Wednesday, December 16, 2015 3:54 PM
  • "Object Access: File Share" configuration (Event 5145) even though both of them have been


    To my knowledge, you will only see event 5145 after configuring the “Audit Detailed File Share Audit” under:

    Computer Configuration->Polices->Windows Settings->Security Settings->Advanced Audit Policy Configuration

    Not the "Object Access: File Share". You better to have a test on this.



    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by DanielW-IT Thursday, December 17, 2015 4:43 PM
    Thursday, December 17, 2015 9:05 AM
    Moderator

All replies

  • Couple of things I would like to cross-verify from the same resource which you have followed to enable auditing :

    1) If this is a Windows Server 2008 R2 or later operating system please use the Advanced Audit Policy Configuration (Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\) as opposed to the older Audit Policy (Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\)

    2) Do not mix use of both Advanced Audit Policy Configuration and the older Audit Policy: If you enable audit policy through Advanced Audit Policy Configuration either through group policy or the local security policy, I recommend using the Advanced Audit Policy Configuration at every level (local policy, site, domain and OU-linked group policy)

    I hope, you do not have mix-up auditing policy.

    If the issue still persist, I would suggest you to follow this informative article that covers all those required prerequisites for hassle-free File Server Auditing : http://www.lepide.com/blog/prerequisites-for-hassle-free-file-server-auditing/


    Organizations who want increase their visibility as to what's happening in their IT environments but are perhaps limited on time, resources or budget. Lepide 2020 audit & change control suite provides instant access to see who, what, where and when changes are being made to Active Directory, Group Policy, SQL Servers, SharePoint, File Servers, Exchange Servers and more.

    Tuesday, December 15, 2015 9:34 AM
  • Hi Andres,

    Yes, I was very careful with this configuration so I only used Advanced Audit Policy Configuration (Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\)

    Thanks for the link but is good information but unfortunately it doesn't help to get this working do you have any other suggestion?

    Regards.

    Daniel.



    DW.

    Tuesday, December 15, 2015 3:05 PM
  • Hi Daniel,

    In order to verify whether the policy setting has applied, could you run auditpol /get /category:* command and post the result?


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Wednesday, December 16, 2015 9:56 AM
    Moderator
  • Hi Wendy,

    So the problem is half solved now, here is what has been done after a lot of research:

    - The result of "auditpol /get /category:*" on my FS server gave me the Audit Policy configuration on the server that was quite different from the one I had made on the GPO 'File Server Audit Policy'.

    - After doing some research I found the link below that mentioned a related problem but applying policies in different ways, I quote the part that caught my attention:

    "The lack of Object Access auditing is expected: as soon as you start applying Advanced Audit Configuration Policy, legacy policies will be completely ignored. The only way to get a Win7/R2 computer to start using legacy policy is to set the security policy “Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings” to DISABLED. That disables the use of the newer policy type. Then you must clear the existing advanced policy from the machines (auditpol.pol /clear, having a blank audit.csv file, etc). The system isn't optimal, but the intention was never for you to go back."

    http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx

    - As I said the case is different than mine for the different ways the Audit settings have been applied, but there was something in common the configurations I made in my GPO were not being applied so to apply them first I disabled the mentioned security policy (Audit: Force audit policy subcategory...), cleared the existing Advanced Policy from the machine (auditpol /clear), forced the update of the GPO (gpupdate /force),  then I ran again "auditpol /get /category:*" and now the result was clean, all the Audit setting appeared as "No Auditing".

    - After that I had a server with no Auditing Policy (remember the GPO 'File Server Audit Policy' is linked to the OU that contains my FS server at all times). So I enabled again the security policy I had disabled previously and forced again the update of the GPO, I though that then the machine would get the Audit configurations of the last GPO applied, which was my 'File Server Audit Policy' GPO, but surprisingly when I ran again"auditpol /get /category:*" the result was still clean, all the Audit setting appeared as "No Auditing". Pretty discouraging at that moment eh?

    - Well I continued with some research and I found this below other link with 3 steps to fix the problem. I quote his solution for the problem: (I would add a fourth step to run again "gpupdate /force" though)

    "I solved it by the following procedure:

    • Set every advanced audit configuration item to "Not configured"
    • Run gpupdate /force on the relevant systems
    • Re-set all advanced audit configuration according to your requirements

    I have created the failing GPO from a template which already had set the advanced audit settings. I guess there was an internal mismatch of the GUIDs..."

    http://serverfault.com/questions/617713/advanced-audit-policy-not-getting-applied-on-2012-r2

    - Notice that the changes of the Advanced Audit Configuration Items has to be done with the GPO (In my case my GPO File Server Audit Policy'). So I did those 4 steps and I ran again "auditpol /get /category:*" and now all the configurations I had set in my GPO were applied to the server ... yayyyyyyyyyy!!!

    Hope this helps to anyone is having the same problem.

    But now I have another problem that maybe you can help me with Wendy. Now that the Advanced Audit Configurations are applied on my FS server through GPO, I can see the logs for the "Object Access: File System" configuration in the Event Viewer (Event 4663) but I can NOT see yet any log for "Object Access: File Share" configuration (Event 5145) even though both of them have been enabled to Audit "Success"

    Do you have any idea why I'm not getting any 5145 Event?

    Thanks so much for your help in advance, it will be greatly appreciated.

    Regards.

    Daniel.


    DW.

    • Marked as answer by DanielW-IT Thursday, December 17, 2015 4:43 PM
    Wednesday, December 16, 2015 3:54 PM
  • "Object Access: File Share" configuration (Event 5145) even though both of them have been


    To my knowledge, you will only see event 5145 after configuring the “Audit Detailed File Share Audit” under:

    Computer Configuration->Polices->Windows Settings->Security Settings->Advanced Audit Policy Configuration

    Not the "Object Access: File Share". You better to have a test on this.



    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by DanielW-IT Thursday, December 17, 2015 4:43 PM
    Thursday, December 17, 2015 9:05 AM
    Moderator
  • Hi Wendy!

    Thanks so much for your help. I was indeed using the wrong Configuration (Object Access: File Share), as you state, the right configuration is "Object Access: Audit Detailed File Share" under:

    Computer Configuration->Polices->Windows Settings->Security Settings->Advanced Audit Policy Configuration

    The testing part has finished and now we will stablish the scope of what we need log and which servers this new GPO will be applied on.

    Again thanks so much for your help.

    Regards.

    Daniel.


    DW.

    Thursday, December 17, 2015 4:43 PM