Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, January 27, 2011 5:09 AM
Hi
I want to do auditing on file server win 2008 r2. I want to find logs for file/folder creation,deletion,create share,delete share...etc.
Please suggest how to achieve this.
thanks
All replies (4)
Thursday, January 27, 2011 6:29 AM ✅Answered | 2 votes
Hi,
You may simply enable and apply a GPO security setting to audit the object access, and then make the GPO link to the container which contains the file server that you want to audit.
The configuration node of GPO:
Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit object access
You may enable auditing both success and failure attempts on the setting for the security consideration.
For enabling the audit settings on a stand-alone server, please refer to:
How to audit user access of files, folders, and printers in Windows XP
http://support.microsoft.com/kb/310399
(This should be also applied to Windows server system)
Configuring Audit Policies
http://technet.microsoft.com/en-us/library/dd277403.aspx
How To Set, View, Change, or Remove Auditing for a File or Folder in Windows 2000
http://support.microsoft.com/kb/301640
Apply or modify auditing policy settings for a local file or folder
http://technet.microsoft.com/en-us/library/cc784387.aspx
Hope this can be helpful.
Scorprio
TechNet Software Assurance Managed Newsgroup MCTS: Windows Vista | Exchange Server 2007 MCITP: Enterprise Support Technician | Server & Enterprise Admin | System Architect
Thursday, January 27, 2011 6:30 AM ✅Answered
Hi,
If you want to see who's trying to access a folder of sensitive files on your file server, you can enable the Audit Object Access audit policy under Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy in the appropriate GPO. Then use the ACL editor on the Security tab of the folder's properties sheet and specify which groups of users you want to audit accessing the folder.
If you want to detect unauthorized attempts at accessing the files, enable Failure auditing in the policy and audit Read permissions in the ACL.
If you want to see who is accessing the files and modifying them, enable Success auditing in the policy and audit Write and Append permissions in the ACL.
Auditing Windows Server 2008 File and Folder Access
http://www.techotopia.com/index.php/Auditing_Windows_Server_2008_File_and_Folder_Access
Brent Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”
Wednesday, December 21, 2011 7:24 AM
You might want to give a look to FileAudit.
With a right click in Windows explorer or from the console, FileAudit instantly gives a comprehensive list of:
- read/write accesses
- appropriation attempts (accepted or denied)
- permission modification attempts (accepted or denied)
each record detailing:
- the user
- the domain
- the date and time of connection and disconnection
for:
- a file
- a selection of files
- a folder and subfolders
- a selection of folders and subfolders
François Amigorena | President & CEO | IS Decisions | www.ISDecisions.com
Wednesday, March 13, 2013 4:12 PM
We use system center to track Security ID 4663 (object access action) but be mindful on getting FLOODED on ID 4633 READS. If one of your users decide to Advance search the entire audited directories for a word withing a document this will trigger READ attribute event. OMG
Thx, Joe