Re: Auditing access to files and folders
From: Eric Fitzgerald [MS] (ericf@online.microsoft.com)
Date: 11/15/02
- Next message: Eric Fitzgerald [MS]: "Re: NTFS Permissions won't resolve"
- Previous message: Eric Fitzgerald [MS]: "Re: Auditing"
- In reply to: Anthony Litterio: "Re: Auditing access to files and folders"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Eric Fitzgerald [MS]" <ericf@online.microsoft.com> Date: Thu, 14 Nov 2002 18:59:07 -0800
You must have set:
1) Audit policy on the DCs (default domain controllers policy) includes
"object access:success".
2) SACLs on objects contain "everyone:success:write data,delete,write_dac")
Eric
-- Eric Fitzgerald Program Manager, Windows Auditing and Intrusion Detection Microsoft Corporation This posting is provided "AS IS" with no warranties, and confers no rights. "Anthony Litterio" <tlitterio@rusinpatton.com> wrote in message news:73b301c28b69$ee33e300$3bef2ecf@TKMSFTNGXA10... > Sorry, I should clarify that the files are on one of the > DC's, and I am checking the viewer on the Server that they > reside on. > > > >-----Original Message----- > >Which computer did you check the logs? The DCs, or the > computer containing > >the files? Maybe you're checking the wrong log viewer. > > > >You might also need to use the Log viewer to clear the > log. It can become > >corrupt. > > > >I can't confirm whether enabling the file auditing on the > domain controllers > >instead of the computer serving the files is the correct > place to enable it, > >I guess I'll take your word for it. I'm guessing you > enable the setting on > >the computer serving the files and check the log on that > computer as well. > >The ACLs are on the target computer, so I would think it > would be the target > >computer and not the DC that logs the event. I think > enabling auditing on > >the domain controllers allows you to see events like > domain logon events. I > >could be wrong. > > > >"Anthony Litterio" <tlitterio@rusinpatton.com> wrote in > message > >news:159e01c28b61$9bd2b080$39ef2ecf@TKMSFTNGXA08... > >> I have a user who is harrasing another user, by reading > >> her personal files and deleting files from her > directory. > >> Well I cuold just block her access, but management wants > >> to fire the harraser, so they want me to tell them > >> everything that happens in the harrasie's directory. > What > >> do I have to do to accomplish this. We want to see if > she > >> even looks in that directory, not just if she opens a > file. > >> > >> I have already enable Audit object access in the Group > >> Policy for the DC's, and created a group of users I want > >> to monitor. I have right clicked on the folder, clicked > >> properties, security advanced, auditing, and added the > >> group I created and checked all available attributes to > >> audit. I then clicked ok and clicked the box to reset > >> auditing on all child objects... > >> > >> I then tested to see if it was logging any events in > event > >> viewer and it was not. I had some of the users I added > to > >> the group access the directory and open files, and it > >> still did not log any events in the security section of > >> event viewer. > >> > >> Am I doing somethign wrong? > > > > > >. > >
- Next message: Eric Fitzgerald [MS]: "Re: NTFS Permissions won't resolve"
- Previous message: Eric Fitzgerald [MS]: "Re: Auditing"
- In reply to: Anthony Litterio: "Re: Auditing access to files and folders"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
