Re: Detail display for audit policy

---

• From: "Hakan GOKCOL" <hgokcol@xxxxxxxxxxx>
• Date: Wed, 20 Dec 2006 15:42:59 +0200

---

You'll need to enable auditing for successful object access events on the servers on which the folders reside, and you'll need to enable auditing on the folders you want to monitor. To enable auditing for successful object access events, you can either use an existing Group Policy Object (GPO) that's applied to your file servers or, if you don't already control auditing through Group Policy, you can enable it in each server's Local Computer Policy. Either way, set the Audit object access policy under Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy (in Group Policy Editor—GPE) to a Security Setting of Success.

To enable auditing on a folder, open the folder's properties dialog box, select the Security tab, click Advanced, and select the Auditing tab of the Advanced Security Settings window. Be careful which permissions you enable for auditing because you can easily fill up your log with access events. In your case, you want to monitor only for successful uses of the permission that lets a user change an object's ACL—the Change permissions permission. Shows that I've enabled auditing of successful Change permissions events on the DeptFiles folder. I've also specified Everyone as the name of the audit entry because I want to audit everyone. . . .

Hakan GOKCOL


"Jacky" <Jacky@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:82F0C709-2A36-4C7C-BBCA-D974A925C081@xxxxxxxxxxxxxxxx

Hello,

I change the audit policy, all were success in security setting.
In event viewer, it shows the success audiot in security option.
But the description was too simple.

For example, If any user change the any user's file permission. Any method
can display the username, time, which item change(specific detail) in
description.

Thanks

.

---

• Prev by Date: Re: Windows 2003 Domain Controller (Open Port 593)
• Next by Date: SCW Templates
• Previous by thread: Problems setting up the Recovery Agent
• Next by thread: Re: Detail display for audit policy
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: User event tracking ... You can enable auditing of object access on your server, ... IMHO, what you should do is to enable auditing of security events, ... Have a look here in your policy editor: ... Using Software Restriction Policies to Protect Against Unauthorized ... (microsoft.public.windows.terminal_services) Re: Mission Impossible ... For instance you can enable auditing of account logons, logons, ... account management, privilege use, policy change, and object access. ... so if you do such audit only permissions you need for the ... (microsoft.public.windows.server.security) Re: Audit folder access ... First you need to enable auditing on the machine. ... Local Security Policy or Group Policy. ... Policy - expand Local Policies, click on Audit Policy, and in the right pane ... (microsoft.public.windows.server.general) Re: Audit Deleting of files ... Yes you can do it on a single computer but you need to enable auditing of "object ... Open Local Security Policy via secpol.msc and configure auditing as Laura ... (microsoft.public.win2000.security)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.windows.server.security  > 2006-12