Re: audit folder/file delet

From: Edy Werder (werder_at_interwatt.ch)
Date: 03/31/04

• Next message: Rykel: "Re: Unable to search from address bar"
• Previous message: Tim: "Re: PIRACY -HELP - HELP"
• In reply to: Steven L Umbach: "Re: audit folder/file delet"
• Next in thread: Bob Qin [MSFT]: "RE: audit folder/file delet"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 31 Mar 2004 11:44:04 +0200

Thanks Steven,

Is there any other third party product, which could do the same not
using event viewer and the policy?

Regards

On Mon, 29 Mar 2004 18:33:36 GMT, "Steven L Umbach"
<n9rou@nospam-comcast.net> wrote:

>Unfortunately you cant stop the "related" events. Your best bet is to increase the
>size of the security log and only audit the bare number of permissions for the bare
>number of users avoiding the "everyone" group. You can use filter view to narrow down
>your search or maybe something like Event Comb from Microsoft. --- Steve
>
>
>"Edy Werder" <werder@interwatt.ch> wrote in message
>news:jtlf60dhma3k55d6qmj70odl4hujhlu0ee@4ax.com...
>> Dear all,
>>
>> I try to audit a folder and its subdirectory for deletion.
>>
>> The folder is located on a domain controller. I understand I have
>> first to enable in local security policy, audit policy, audit object
>> access. After that I go to Windows Explorer, select the folder, right
>> click it, poperties, security, advanced, auditing, add.
>>
>> The result I see in the event viewer under security. Basicalyl it
>> works, but I see a lot of other activity for registry keys, mmc.exe as
>> soon as I have activate the policy. Is that normal? It quickly files
>> the audit log. All I want to see there is entries for auditing the
>> folder.
>>
>> Best regards
>> Edy
>

• Next message: Rykel: "Re: Unable to search from address bar"
• Previous message: Tim: "Re: PIRACY -HELP - HELP"
• In reply to: Steven L Umbach: "Re: audit folder/file delet"
• Next in thread: Bob Qin [MSFT]: "RE: audit folder/file delet"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: Auditing file deletion ... regarding this in the security event log. ... Default Domain Controllers Policy. ... Click Computer Configuration, double-click Windows Settings, ... double-click Audit Policy. ... (microsoft.public.windows.server.sbs) Re: allow users to run application ... Security and Configuration Analysis mmc Snap-in. ... > you will find users denied access to the application folder in program ... > user computer use policy. ... >>I have a bunch of application that needs admin rights to run. ... (microsoft.public.win2000.group_policy) Re: Auditing file deletion ... You won't have to wade through the tonnes of audit logs, but have to set filters to watch the activity you care about. ... The problem is that hundreds of other Object Access events get logged, not just the file and directory deletions. ... regarding this in the security event log. ... Default Domain Controllers Policy. ... (microsoft.public.windows.server.sbs) RE: Auditing Workstation logons from DC ... You have already configured Domain Security Settings for Audit account ... the both Default Domain Controllers Policy and Default Domain Security ... GPO may be overriding the audit policy setting that you configured. ... (microsoft.public.windows.server.sbs) Re: Cannot Open Local Policy Database ... folder and make sure administrators has access. ... One thing we do to stop local policy applying to admins is remove access to ... > Security patches. ... > admin ofcourse), I get the error "Windows cannot open the ... (microsoft.public.win2000.security)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint