locked
Audit object access properties window dimmed out RRS feed

  • Question

  • Win 2k8 r2 with sp1.  A DC, DNS, etc

    When I went into Local Security Policy > Security Settings > Local Policies > Audit Policy > Audit object access, I don't have the option to select anything since they're greyed out.

    ??

    Friday, January 20, 2012 5:39 PM

Answers

  • Follow these Steps to use Audit File share:

    1. Open Local Security Policy by clicking the Start button, typing secpol.msc into the search box, and then clicking secpol.If you're prompted for an administrator password or confirmation, type the password or provide confirmation.

    2. In the left pane, expand the Advanced Audit Policy Configuration folder. Expand System Audit Policies - Local Group. Double-click on Object Access.

    3. In the right pane double-click on Audit File Share.

    4. In the Audit File Share Properties window select the Configure the following events: check box. Then select the Success check box and the Failure check box to audit both successful and unsuccessful attempts to access a shared folder. Then click OK.

    source :http://technet.microsoft.com/en-us/library/dd772690%28WS.10%29.aspx

    pls refer to Advanced Security Audit Policy Step-by-Step Guide

    and also this for ur reference step by step with Screen shots


    Gopi Kiran |Facebook| This posting is provided AS IS with no warranties,and confers no rights.


    Saturday, January 21, 2012 7:13 PM
  • After much screwing around, I got what I wanted by following a section of the Advanced Security Audit Policy step-by-step guide you provided:

    *****************************************************************

    To configure the file system audit policy

    1. Log on to CONTOSO-SRV as a member of the local Administrators group.

    2. Click Start, point to Administrative Tools, and then click Group Policy Management.

    3. In the console tree, double-click Forest: contoso.com, double-click Domains, and then double-click contoso.com.

    4. Right-click Default Domain Policy, and then click Edit.

    5. Double-click Computer Configuration, double-click Policies, and then double-click Windows Settings.

    6. Double-click Security Settings, double-click Advanced Audit Policy Configuration, and then double-click System Audit Policies.

    7. Double-click Object Access, and then double-click File System.

    8. Select the Configure the following events check box, and then select the Success, Failure, or both Success and Failure check boxes.

    9. Click OK.

    The file system audit policy is only used to monitor objects for which auditing SACLs have been configured. The following procedure shows how to configure auditing for a file or folder.

    To enable auditing for a file or folder
    1. Log on to CONTOSO-CLNT as a member of the local Administrators group.

    2. Create a new folder or .txt document.

    3. Right-click the new object, click Properties, and click the Security tab.

    4. Click Advanced, and then click the Auditing tab.

    5. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

    6. Click Add, type a user name or computer name in the format contoso\user1, and then click OK.

    7. In the Auditing Entries for dialog box, select the permissions that you want to audit, such as Full Control or Delete.

    8. Click OK four times to complete configuration of the object SACL.

    ******************************

    I started seeing EVENT ID 4663 in the Security event log on the server.

    Unlike previous versions of Windows Server, I *DID NOT* have to do this as an additional step:

    ********************************

    1. On the DC, Group Policy Management | Forest | Domains | domain.com.

    2. On the right hand side, right-click DEFAULT DOMAIN POLICY GPO and click EDIT.

    3. Group Policy Management Editor opens up.

    4. Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | Audit Policy

    5. Select Audit Object Access.

    6. Enable DEFINE THESE POLICY SETTINGS and Enable SUCCESS and FAILURE.

     

    Sunday, January 22, 2012 5:56 PM

All replies

  • Check whether auditing is enabled at  domain group policy.

    If u want Security auditing settings not be applied to Windows Vista-based and Window Server 2008-based computers when you deploy a domain-based policy

    refer to article : http://support.microsoft.com/kb/921468

     


    Gopi Kiran |Facebook| This posting is provided AS IS with no warranties,and confers no rights.

    • Edited by Gopi Kiran Friday, January 20, 2012 7:40 PM
    • Proposed as answer by Martin G. Evans Friday, January 20, 2012 8:32 PM
    Friday, January 20, 2012 7:37 PM
  • What I did:

    1.  On the DC, Group Policy Management | Forest | Domains | domain.com.

    2.  On the right hand side, right-click DEFAULT DOMAIN POLICY GPO and click EDIT.

    3.  Group Policy Management Editor opens up.

    4.  Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | Audit Policy

    5.  Select Audit Object Access.

    6.  Enable DEFINE THESE POLICY SETTINGS and Enable SUCCESS and FAILURE.

     

    Created a test user account that is part of the domain users group.

    Created a folder, shared it out (EVERYONE with Full Control).  NTFS permission: Modify for Domain users.

    Log in to a machine with test user account.

    Went to \\server\sharefolder

    Created some dummy files and folders

    Deleted some of the files and folders

    Nothing in regards to deleting shows up in SECURITY windows logs of event viewer of the server where the shared folder is located

     

    Any ideas??

    Saturday, January 21, 2012 7:02 PM
  • Follow these Steps to use Audit File share:

    1. Open Local Security Policy by clicking the Start button, typing secpol.msc into the search box, and then clicking secpol.If you're prompted for an administrator password or confirmation, type the password or provide confirmation.

    2. In the left pane, expand the Advanced Audit Policy Configuration folder. Expand System Audit Policies - Local Group. Double-click on Object Access.

    3. In the right pane double-click on Audit File Share.

    4. In the Audit File Share Properties window select the Configure the following events: check box. Then select the Success check box and the Failure check box to audit both successful and unsuccessful attempts to access a shared folder. Then click OK.

    source :http://technet.microsoft.com/en-us/library/dd772690%28WS.10%29.aspx

    pls refer to Advanced Security Audit Policy Step-by-Step Guide

    and also this for ur reference step by step with Screen shots


    Gopi Kiran |Facebook| This posting is provided AS IS with no warranties,and confers no rights.


    Saturday, January 21, 2012 7:13 PM
  • After much screwing around, I got what I wanted by following a section of the Advanced Security Audit Policy step-by-step guide you provided:

    *****************************************************************

    To configure the file system audit policy

    1. Log on to CONTOSO-SRV as a member of the local Administrators group.

    2. Click Start, point to Administrative Tools, and then click Group Policy Management.

    3. In the console tree, double-click Forest: contoso.com, double-click Domains, and then double-click contoso.com.

    4. Right-click Default Domain Policy, and then click Edit.

    5. Double-click Computer Configuration, double-click Policies, and then double-click Windows Settings.

    6. Double-click Security Settings, double-click Advanced Audit Policy Configuration, and then double-click System Audit Policies.

    7. Double-click Object Access, and then double-click File System.

    8. Select the Configure the following events check box, and then select the Success, Failure, or both Success and Failure check boxes.

    9. Click OK.

    The file system audit policy is only used to monitor objects for which auditing SACLs have been configured. The following procedure shows how to configure auditing for a file or folder.

    To enable auditing for a file or folder
    1. Log on to CONTOSO-CLNT as a member of the local Administrators group.

    2. Create a new folder or .txt document.

    3. Right-click the new object, click Properties, and click the Security tab.

    4. Click Advanced, and then click the Auditing tab.

    5. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

    6. Click Add, type a user name or computer name in the format contoso\user1, and then click OK.

    7. In the Auditing Entries for dialog box, select the permissions that you want to audit, such as Full Control or Delete.

    8. Click OK four times to complete configuration of the object SACL.

    ******************************

    I started seeing EVENT ID 4663 in the Security event log on the server.

    Unlike previous versions of Windows Server, I *DID NOT* have to do this as an additional step:

    ********************************

    1. On the DC, Group Policy Management | Forest | Domains | domain.com.

    2. On the right hand side, right-click DEFAULT DOMAIN POLICY GPO and click EDIT.

    3. Group Policy Management Editor opens up.

    4. Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | Audit Policy

    5. Select Audit Object Access.

    6. Enable DEFINE THESE POLICY SETTINGS and Enable SUCCESS and FAILURE.

     

    Sunday, January 22, 2012 5:56 PM
  • Good to hear that, Finally it started working.
    Gopi Kiran |Facebook| This posting is provided AS IS with no warranties,and confers no rights.
    Sunday, January 22, 2012 6:44 PM