Hi, Since enabling "Audit Object Access" generates a ton of logs, so to reduce the amount of logs and only get the "File System" ones you can disable this and enable the subcategory only using the Auditpol tool with the following command. AUDITPOL /SET /SUBCATEGORY:"File System" /SUCCESS:ENABLE /FAILURE:ENABLE If we want to see all possible categories and subcategories, type the following line at the command prompt, and then press ENTER: auditpol /list /subcategory:* For details about Auditpol command, please refer to the following articles. Auditpol http://technet.microsoft.com/en-us/library/cc731451(v=ws.10).aspx Auditpol set http://technet.microsoft.com/en-us/library/cc755264(v=ws.10).aspx How to use Group Policy to configure detailed security auditing settings for Windows Vista-based and Windows Server 2008-based computers in a Windows Server 2008 domain, in a Windows Server 2003 domain, or in a Windows 2000 domain. http://support.microsoft.com/kb/921469 In addition, we could also enable file and folder auditing with the following steps. Enabling File and Folder Auditing http://msmvps.com/blogs/richardwu/archive/2010/07/16/enabling-file-and-folder-auditing.aspx Regards, Andy

Hi All I have enabled auditing on a 2008 server and added the audit permissions to a folder I want to watch. I need to look for deleting of files and folder but am getting way too many records in the event logs at present. I have been looking at auditpol /get /category:"Object Access" I wanted to know which sub categories I actually need enabled for this so I can disable the rest to reduce the data in the event logs Many thanks Glenn

Hi, Since enabling "Audit Object Access" generates a ton of logs, so to reduce the amount of logs and only get the "File System" ones you can disable this and enable the subcategory only using the Auditpol tool with the following command. AUDITPOL /SET /SUBCATEGORY:"File System" /SUCCESS:ENABLE /FAILURE:ENABLE If we want to see all possible categories and subcategories, type the following line at the command prompt, and then press ENTER: auditpol /list /subcategory:* For details about Auditpol command, please refer to the following articles. Auditpol http://technet.microsoft.com/en-us/library/cc731451(v=ws.10).aspx Auditpol set http://technet.microsoft.com/en-us/library/cc755264(v=ws.10).aspx How to use Group Policy to configure detailed security auditing settings for Windows Vista-based and Windows Server 2008-based computers in a Windows Server 2008 domain, in a Windows Server 2003 domain, or in a Windows 2000 domain. http://support.microsoft.com/kb/921469 In addition, we could also enable file and folder auditing with the following steps. Enabling File and Folder Auditing http://msmvps.com/blogs/richardwu/archive/2010/07/16/enabling-file-and-folder-auditing.aspx Regards, Andy