Re: Cannot see audit events in security log
From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 11/23/04
- Next message: Steven L Umbach: "Re: Group Policy & VPN"
- Previous message: Scott Nichols: "Group Policy & VPN"
- In reply to: Frank Thynne: "Re: Cannot see audit events in security log"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 23 Nov 2004 03:54:52 GMT
If auditing of object access for success and failure has been enabled in the
Local Security Policy [secpol.msc] on that computer and auditing has been
enabled for the proper folder, normally security events for object access
should be recorded in the security log after trying to access the folder as
a user that has auditing enabled for. If you have not done such try clearing
the security log and rebooting the computer that is giving you problems
verifying that auditing is still enabled for object access in Local Security
Policy. I can't think of much else to try offhand. --- Steve
"Frank Thynne" <fthynne@elmplace.co.uk> wrote in message
news:f5642ae5.0411221732.3da02552@posting.google.com...
> Steven, thanks for responding.
>
> I have meanwhile carried out similar tests on another PC and found
> that everything worked as I expected, and I could indeed find 560 and
> 562 events in the security log - but it still isn't working in the
> problem PC. The only significant differences that I can think of are:
>
> 1. the problem PC is standalone while the working one is a member of a
> Windows domain, and
>
> 2. the problem PC was originally set up with a FAT file system (not by
> me!) and I did not notice that it wasn't NTFS until after I enabled
> auditing.
>
> I tried turning auditing off and on again after converting to NTFS in
> case the setting had not been effective while the file system was FAT,
> but it made no difference.
>
> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> news:<IQdod.129209$HA.61030@attbi_s01>...
>> If you enabled auditing of object access then you should see events in
>> the
>> security log. Look for event ID's such as 560 and 562. Be sure to
>> increase
>> the size of the security log quite a bit and clear the log first. Note
>> that
>> if the security log is configured to not override events that the log
>> will
>> not add any more events until it is manually cleared. --- Steve
>>
>>
>>
>> "Frank Thynne" <fthynne@elmplace.co.uk> wrote in message
>> news:f5642ae5.0411211630.4831738a@posting.google.com...
>> > My client has a stand-alone Windows 2000 Professional computer. We are
>> > trying to establish auditing on a folder and its contents. We have
>> > turned on auditing in local policy and enabled success and failure
>> > auditing on objects. In the advanced section of the security
>> > properties of the folder we have set auditing for the Everyone group
>> > and specified that the property will be propagated to files and
>> > folders contained in it. We have verified that the property is
>> > inherited by a file copied into the folder.
>> >
>> > After doing those things, and accessing a file in the audited folder,
>> > we do not see anything relevant in the Security Event Log. I must be
>> > missing something obvious, but I do not know what it is! Can anyone
>> > advise?
- Next message: Steven L Umbach: "Re: Group Policy & VPN"
- Previous message: Scott Nichols: "Group Policy & VPN"
- In reply to: Frank Thynne: "Re: Cannot see audit events in security log"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
