Hello, We are looking to implement an audit policy for the purpose of collecting info in SCOM ACS however I find the info available in the event viewer after the audit policy is put into place is very vague and does not give us the info we need.. Our main requirements to audit are logon/logoff File/Folder -read, write, delete (move, rename) For example I turn on auditing for File system using Auditpol Auditpol /set /subcategory:”file system” /success:enable I go to my test folder “SCOM test” and navigate to the auditing. I set Apply to “this folder, subfolders and files”. I select “everyone” and apply the “create folders/append data – successful” checkbox. I create a new sub directory and get an event id 4663 which is correct. The only issue is that in no place does it reference the name of the created folder. ß This doesn’t seem to be useful. It does reference the parent folder that the new folder was created in however this would not be the info we are looking for. Any help on this would be much appreciated (I suspect some of the other audit policies will have me scratching my head too but for now I decided to start with simple folder creation) Thank you