Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Nt File Auditing

Status
Not open for further replies.

stewajl

IS-IT--Management
Sep 26, 2001
7
US
I would like to audit who is changing and deleting certain files on our Windows NT 4.0 server.

I have changed the Security Auditing to include everyone with write, delete, change permissions and take ownership.

However, when I move the director/files nothing shows up in the Event viewer.

What am I missing?
 
HI!

Start "User Manager" and there:
Policies - Audit
Check "Audit Object Access" for both success and fail (or as you wish).

Restart the server if it is still not working.

Remember that NTFS file auditing is VERY RESOURCE INTENSIVE!!!!!
Use only the MINIMAL auditing that you need.

Bye
Yizhar Hurwitz
 
Ok,

I have the Security Auditing turned on the folders.
And I have Audit Object Access turned on in the User Manager.

I Cut and Pasted a document on the server to my PC.

However I do not get any messages in the Event Viwer - Security. Am I looking in the wrong place?

Occasionally, I will get and "Object Access", Event: 562, User: SYSTEM in the Event View, but it does not specify the object or the user.

Got any ideas?
 
HI!

You are looking in the right place - Event Viewer - Security.

To deubug, enable auditing for the "Everyone" group and all options (Full Control). Do this only on a specific test folder, and remember to apply to files and subfolders also (there should be a checkbox on the top of the form).

Then limit to what you want, like delete only.
In general you should audit the Everyone group and both success and fail, but you should configure it for your needs.

Remember that auditing does not affect NTFS permissions.
Permissions are the keys that users use to get access (or not),
and auditing is the camera that watches what is going on.

You have probably didn't apply the changes to existing files and that what caused the deleted file not to be audited.

Bye

Yizhar Hurwitz
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top