Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Object Access Audit Issues

Status
Not open for further replies.
nbowles

nbowles

Vendor
Jun 17, 2005
68
US
I have set up GP Audit for Object Access both success and failure. I have also set up the specific folders(objects) auditing tab to audit Domain Users group. I'm not seeing anything in the security log that shows object access or failure. Any thoughts? Do I need to drill further down into the groups instead of using Domain Users? I initially tried to use the group Everyone, but didn't have any success.

The idea is to audit all file/folder access on a few sensitive folders and files for anyone attempting to access as well as anyone who has the appropriate permission and does access the files.

Thanks
n8
 
Sort by date Sort by votes
It sounds like what you're auditing is the Domain Users group rather than the actions of the Domain Users group. So if you add or remove someone from Domain Users (or otherwise attempt to modify it), you'll get an entry in the log.
 
Upvote 0 Downvote
Doesn't the Domain Users group include all domain users? The members of this group should then be audited as specified correct?
 
Upvote 0 Downvote
No.

You're auditing the Domain Users object in AD. When that object is modified it will be logged. In order words, if you add/remove users to that group, it will be modified and logged. But auditing that object has nothing to do with auditing the actions of users who happen to be members of that group.
 
Upvote 0 Downvote
So in order to audit all users who are accessing objects, I need to manually put in all of the uses that I want to audit. This seems to defeat the purpose of having a group to easily manage multiple objects. I think I'm confused on the whole group concept. The basic functionality I am looking for is to audit users access or lakc of access to certain folders and files on the network share. I have enabled an audit policy for this. Where then do I add the users to? Should it be in the GPM security filter and on the specific folder and file?
 
Upvote 0 Downvote
No, you need to enable auditing on the objects that you want audited. If you enable auditing on the users then you'll only be auditing the user objects, i.e., when a change is made to the user object (PW change, enable/disable, group membership) you will see it logged.

You're not confused about how groups work, you're confused about how objects work.

If you want to audit a directory or file, then you'll need to enable auditing ON THAT OBJECT. To do so, right-click on the object, select Properties, then the Security tab, then click Advanced, then go to the Auditing tab and set your auditing properties.
 
Upvote 0 Downvote
Okay, I've set auditing up on the object itself and I still do not see any object access messages in the event log. All I am seeing is logon/logoff events that are on by default. My understanding was that to audit an object you needed to create a GPO to do the auditing and then also enable it on the object. How do objects work?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

tscstl
  • Locked
  • Question
access to local folder
Replies
1
Views
259
hairlessupportmonkey
hairlessupportmonkey
DrB0b
  • Locked
  • Question
Terminal Server issues doing anything network related after RDPing into
Replies
3
Views
197
DrB0b
DrB0b
StevenFromSouth
  • Locked
  • Question
VPN Connects but cannot access remote network computers or folders
Replies
1
Views
213
StevenFromSouth
StevenFromSouth
andyferris
  • Locked
  • Question
DC Event logs auditing cannot be set by GPO
Replies
1
Views
230
RRankin355
RRankin355
iCDT
  • Locked
  • Question
Remote Desktop Web Access ( No application available)
Replies
2
Views
206
hairlessupportmonkey
hairlessupportmonkey

Part and Inventory Search

Sponsor

Back
Top