none
Simple auditing for a folder - easier said than done!

    Question

  • In an attempt to audit for success and failure on a folder on a client workstation, I'm having problems.

    I have defined within a GPO, an advanced audit configuration policy for 'Audit File System' under the 'Object Access' section of the available advanced audit nodes. I have also ensured that basic audit policies do not overwrite these events.

    I have then added the user to audit, into the SACL via the 'Auditing' tab of the specified folder, on the client workstation.

    I ran a gpupdate /force, and then ran auditpol.exe /get /category:* on the client computer, which successfully reported that auditing for success and failure had been configured for 'Object Access'. Defined policy settings working - great.

    I then ran auditpol.exe /get /user:<mydomain>\specifieduser  /category:"Object Access", which reported "No audit policy is defined for the user account".

    Is there a reason why this isn't being confirmed, despite the specified user being the only user in the SACL for audited folder? I'm running out of things to check, would really appreciate some help!

    Many thanks.

    Friday, March 20, 2015 9:49 PM

Answers

  • Hi,

    The audit policy settings set via group policy are per computer but not per user. Based on the description, the audit policy settings should have been applied successfully, and we can double confirm this by check the Security logs in Event Viewer to see if corresponding events are logged when we use the account to access the folder.

    In addition, per-user auditing can be configured only from the command line.

    Regarding configuring Per-User auditing, the following article can be referred to for more information.

    Configuring Per-User Auditing

    http://windowsitpro.com/systems-management/configuring-user-auditing

    Please Note: Since the website above is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Best regards,
    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Monday, March 23, 2015 8:17 AM
    Moderator

All replies

  • Hi,

    The audit policy settings set via group policy are per computer but not per user. Based on the description, the audit policy settings should have been applied successfully, and we can double confirm this by check the Security logs in Event Viewer to see if corresponding events are logged when we use the account to access the folder.

    In addition, per-user auditing can be configured only from the command line.

    Regarding configuring Per-User auditing, the following article can be referred to for more information.

    Configuring Per-User Auditing

    http://windowsitpro.com/systems-management/configuring-user-auditing

    Please Note: Since the website above is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Best regards,
    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Monday, March 23, 2015 8:17 AM
    Moderator
  • Thanks for this Frank Shen, will take a look this evening.
    Tuesday, March 24, 2015 8:52 AM
  • Hi,

    It's been a while. I think the suggestion provided above should be helpful and I will mark the reply as answer. However, if the suggestion doesn't help answer the question, please feel free to un-mark it.

    Best regards,
    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, April 2, 2015 9:24 AM
    Moderator