locked
audit object access, event viewer output. RRS feed

  • Question

  • Hi All

    I have enabled audit object access on the root ou & default dc's OU, and also selected the auditing tab of the folder & selected to audit any successful deletion's.  I do inded see audit object access in the event viewer under security however im not satisfied with the message itself as it only lists "username"  audit object access and then some vague stuff about the registry.

    I was hoping to see    e.g.   user "john doe", audit object access, deleted "file name" at 21:00

    Or some such.  This way I can demonstrate to management who is deleting the files on our network.  Is it not posible to get a clear picture or have I overlooked something?

    Thanks for reading.

     


    confuseis
    Thursday, December 8, 2011 9:13 PM

Answers

  • Hi,

    Please try the following steps:

    1.  Open GPMC, create a GPO linked to the domain. 
    2.  Navigate to the following location:
    Security Settings\Local Policies\Audit Policy\Audit Object Access 
    3.  Double-click Audit Object Access , click to select Success check boxes, and then click Apply . 
    4.  Goto the share folder. Open the Properties box of the shared folder, click the Security tab, and then click Advanced . The Advanced Security Settings dialog box of the folder appears. 
    5.  In the Advanced Security Settings dialog box, click the Auditing tab. Click Add , enter everyone , and then click OK . The Auditing Entry dialog box appears. 
    6.  In the Auditing Entry dialog box, click to select the Successful check boxes for  Create Files/Write Data and Create Folders/Append Data, Delete Subfolder and files, Delete items, and then click OK .
    7. Type “gpupdate/force” or reboot the machine to make sure the policy could apply
    8. Please test create a new file and delete it from share. You should be able to get the event like below:
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Event Type:    Success Audit
    Event Source:         Security
    Event Category:     Object Access
    Event ID:          560
    Date:                 9/6/2010
    Time:                 4:44:59 PM
    User:                 TWODC\Administrator
    Computer:      EWIN2K3SSP2
    Description:
    Object Open:
             Object Server:        Security
             Object Type:  File
             Object Name:         C:\UserData\New Text Document.txt
             Handle ID:       1224
             Operation ID: {0,385325}
             Process ID:      4
             Image File Name: 
             Primary User Name:      EWIN2K3SSP2$
             Primary Domain:    TWODC
             Primary Logon ID:  (0x0,0x3E7)
             Client User Name:          Administrator
             Client Domain:        TWODC
             Client Logon ID:      (0x0,0x2A88A)
             Accesses:        DELETE
                                ReadAttributes
                               
             Privileges:       -
             Restricted Sid Count:    0
             Access Mask: 0x10080

    Hope this helps.

    Best Regards,

    Yan Li


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    • Proposed as answer by Yan Li_ Tuesday, December 13, 2011 4:37 AM
    • Marked as answer by Yan Li_ Thursday, December 15, 2011 8:41 AM
    Monday, December 12, 2011 3:37 AM
  • Thank you Yan Li. 

    A clear set of steps like yours is always my preferred type of answer. I got this to work.  I was setting the GPO on the departments OU and it wasint biting.  Trick I didnt then grasp was I had to set it on the DC's "Local" policy.

     

    Happy New Year.

     


     


    confuseis
    • Edited by confuseis Sunday, January 1, 2012 5:43 PM
    • Marked as answer by confuseis Sunday, January 1, 2012 5:44 PM
    Sunday, January 1, 2012 5:42 PM

All replies

  • Hi,

    Please try the following steps:

    1.  Open GPMC, create a GPO linked to the domain. 
    2.  Navigate to the following location:
    Security Settings\Local Policies\Audit Policy\Audit Object Access 
    3.  Double-click Audit Object Access , click to select Success check boxes, and then click Apply . 
    4.  Goto the share folder. Open the Properties box of the shared folder, click the Security tab, and then click Advanced . The Advanced Security Settings dialog box of the folder appears. 
    5.  In the Advanced Security Settings dialog box, click the Auditing tab. Click Add , enter everyone , and then click OK . The Auditing Entry dialog box appears. 
    6.  In the Auditing Entry dialog box, click to select the Successful check boxes for  Create Files/Write Data and Create Folders/Append Data, Delete Subfolder and files, Delete items, and then click OK .
    7. Type “gpupdate/force” or reboot the machine to make sure the policy could apply
    8. Please test create a new file and delete it from share. You should be able to get the event like below:
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Event Type:    Success Audit
    Event Source:         Security
    Event Category:     Object Access
    Event ID:          560
    Date:                 9/6/2010
    Time:                 4:44:59 PM
    User:                 TWODC\Administrator
    Computer:      EWIN2K3SSP2
    Description:
    Object Open:
             Object Server:        Security
             Object Type:  File
             Object Name:         C:\UserData\New Text Document.txt
             Handle ID:       1224
             Operation ID: {0,385325}
             Process ID:      4
             Image File Name: 
             Primary User Name:      EWIN2K3SSP2$
             Primary Domain:    TWODC
             Primary Logon ID:  (0x0,0x3E7)
             Client User Name:          Administrator
             Client Domain:        TWODC
             Client Logon ID:      (0x0,0x2A88A)
             Accesses:        DELETE
                                ReadAttributes
                               
             Privileges:       -
             Restricted Sid Count:    0
             Access Mask: 0x10080

    Hope this helps.

    Best Regards,

    Yan Li


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    • Proposed as answer by Yan Li_ Tuesday, December 13, 2011 4:37 AM
    • Marked as answer by Yan Li_ Thursday, December 15, 2011 8:41 AM
    Monday, December 12, 2011 3:37 AM
  • Thank you Yan Li. 

    A clear set of steps like yours is always my preferred type of answer. I got this to work.  I was setting the GPO on the departments OU and it wasint biting.  Trick I didnt then grasp was I had to set it on the DC's "Local" policy.

     

    Happy New Year.

     


     


    confuseis
    • Edited by confuseis Sunday, January 1, 2012 5:43 PM
    • Marked as answer by confuseis Sunday, January 1, 2012 5:44 PM
    Sunday, January 1, 2012 5:42 PM