Is it possible to Audit folder creation? 2008 R2 domain with Advanced Audit Policy Configuration/Object Access/Audit File System set to Success and Failure. On a test folder I have auditing for Everyone for this folder and subfolders set with Create Folders / append data set to successful and failed and delete subfolders and files to successful and failed. I receive an event within the security log for folder deletion but not for folder creation. Thanks

hi, read again this tutorial http://articles.techrepublic.com.com/5100-10878_11-5034308.html HTHEdoardo Benussi - Microsoft MVP Management Infrastructure - Systems Administration https://mvp.support.microsoft.com/Profile/Benussi Windows Server Italian Forum Moderator edo[at]mvps[dot]org

Hi, Please check the following support article first: Apply or Modify Auditing Policy Settings for a Local File or Folder http://technet.microsoft.com/en-us/library/cc771070(WS.10).aspx Please choose to audit the following events: Create Files/Write Data Create Folders/Append Data Before setting up auditing for files and folders, you must enable object access auditing by defining auditing policy settings for the object access event category. File and folder auditing is enabled using either Group Policy (for auditing domains, sites and organizational units) or local security policy (for single servers). If via GP, go to Computer Configuration, Windows Settings, Security Settings, Local Policies, and then Audit Policy. For more information, please refer to http://technet.microsoft.com/en-us/library/dd560628(WS.10).aspx Thanks. NinaThis posting is provided "AS IS" with no warranties, and confers no rights.

Running this command auditpol /get /category:"Object Access" yields File System has Success and Failure and the rest are set to No Auditing. I have Auditing set up on the folder I wish to audit with Create Files/Write Data Create Folders/Append Data Yet I am not seeing anything in the Security Log. It was my understanding that I only needed to enable what I wanted under the "Advanced Audit Policy Configuration" in GP. Is this not correct? If I enable the "Audit object access" under Local Policies I get a ton of unwanted information.

only if you enable "audit object access" under local policies you "turn on auditing" otherwise can't work. HTHEdoardo Benussi - Microsoft MVP Management Infrastructure - Systems Administration https://mvp.support.microsoft.com/Profile/Benussi Windows Server Italian Forum Moderator edo[at]mvps[dot]org

Hi, Thanks for your clarification. Please help confirm whether you have defined this audit policy under the default domain policy. Does the issue occur on one PC? What is the OS version on it? Please note that if you are using Group Policy to apply the advanced audit policy settings and global object access settings, client computers must be running Windows Server 2008 R2 or Windows 7. In addition, only computers running Windows Server 2008 R2 or Windows 7 can provide "reason for access" reporting data. For more information, you can refer to the following article: Which Versions of Windows Support Advanced Audit Policy Configuration? http://technet.microsoft.com/en-us/library/dd692792(WS.10).aspx Have you defined policy under Local Policies\Audit Policy? Please note that using both the basic audit policy settings under Local Policies\Audit Policy and the advanced settings under Advanced Audit Policy Configuration can cause unexpected results. Therefore, the two sets of audit policy settings should not be combined. If you use Advanced Audit Policy Configuration settings, you should enable the Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings policy setting under Local Policies\Security Options. This will prevent conflicts between similar settings by forcing basic security auditing to be ignored. I see that you have run “auditpol.exe /get /category: *”. Did you run it on the problematic client PC with the domain admin privilege? For the detailed steps on how to create an advanced audit policy, please refer to the “Step 2: Creating and verifying an advanced audit policy” section in the following support article: Advanced Security Audit Policy Step-by-Step Guide http://technet.microsoft.com/en-us/library/dd408940(WS.10).aspx#BKMK_step2 If it does not help, please help gather the following files for research: Event log on the problematic client -------------------------------------- 1. Click "Start", click “Run”, input "eventvwr" and press Enter. 2. Expand the "Windows Logs" node on the left pane, right-click on "Security" and click "Save All Events As"; in the pop-up window, click to choose the Desktop icon on the left frame, input "sec" in the "File name" blank, and then click save. 3. Right click on "System", with the same method, save it as "sys". 4. Locate the two saved log files on the Desktop and send them to us. GPMC Log ----------- a. On domain controller, click Start -> Run, type GPMC.MSC, it will load the GPMC console. If the GPMC snap-in is not installed, b. Right click on "Group Policy Result" and choose wizard to generate a report for the problematic computer and user account. (Choose computer and select the proper user in the wizard) c. Right click the resulting group policy result and click the "Save Report…" => save report to save the report to a HTML file. Please locate the saved files for research. Upload these file to the following workspace. You can upload the information files to the following link. (Please choose "Send Files to Microsoft") Workspace URL: (https://sftus.one.microsoft.com/choosetransfer.aspx?key=c4ec15cc-19db-4bd6-8867-edc83e022943) Password: S@227x$RCP228$xq Note: Due to differences in text formatting with various email clients, the workspace link above may appear to be broken. Please be sure to include all text between '(' and ')' when typing or copying the workspace link into your browser. Meanwhile, please note that files uploaded for more than 72 hours will be deleted automatically. Please ensure to notify me timely after you have uploaded the files. Thank you for your understanding. Thanks. Nina