Hi,I have setup auditing on one of our servers to report when people "fail" to access a folder on the server. But instead of reporting when people are "failing" to access the folder it reports they have failed when they have successfully access the folder and files inside?? I have checked the server and have made sure it's as up to date as possible. Any IdeasRussty

I have noticed similar issues. I don't know if this applies to your scenario but ... These seem to occur when I am auditing write access on objects that the user only has read access to. They can read the files OK but since they do not have write access to the file it generates a write failure. (Not sure why since they didn't actively try to edit the file.)Basically, if they don't have certain permission on an object but you audit for those then they will fail since they don't have that permission.Could this be your issue?Michael

Hello, Thanks for your post. This may be expected behavior depends on how an application tries to get access. For example, some applications try to open some files or folder with Read and Write although they may actually only need read activity. This may cause unexpected behavior. To understand the problem better, please use Process Monitor tool to capture the file/registry access when this issue is reproduced. With the audit event log and the Process Monitor log, we can identify what the problem is and how the application actually tries to access some resource. 1. What audit settings did you set on those files and folders? 2. Please mount the Process Monitor on the Explorer.exe when you try to access the share from the client and collect the logs. 3. You can collect the MPS report (PFE version) on the server for the analyzing. The MPS Reporting Tool is utilized to gather detailed information regarding a systems current configuration including security events. To collect the PFE log: a. Please download MPS Reporting Tool (MPSRPT_PFE.EXE) from the following link: (http://www.microsoft.com/downloads/details.aspx?FamilyID=00ad0eac-720f-4441-9ef6-ea9f657b5c2f&DisplayLang=en) Please note: The link may be truncated when you read the E-mail. Be sure to include all text between '(' and ')' when navigating to the download location. b. Right click MPSRPT_PFE.EXE and select Run as Administrator to run this tool, and you will see a Command Window start up. c. Please type Y with the message of <Include the MSINFO32 report? (defaults to Y in 15 seconds)[Y,N]? d. When the tool is done you will see an Explorer Window opening up the %systemroot%\MPSReports\Setup\Reports\cab folder and containing a <Computername>MPSReports.cab file. Then send the package to me at v-mileli@microsoft.com for further investigation. If you have any questions or concerns, please do not hesitate to let me know.

Hi Miles,Thanks for the help so far. I've tried sending you the files but your email address is giving me a bounce back. Can you confirm it for me pleaseRegardsRuss

Hi, Thanks for the update. My mailbox is v-mileli@microsoft.com. (There is "V-" before my alias). Additionally, could please explain more about the details: 1. What application/program causes this issue when accessing the files and folder? Is it explorer.exe? If it not Explorer.exe, please attach the Process Monitor on that application/program and collect the logs. If you have any questions or concerns, please do not hesitate to let me know.

Hi Miles,It is explorer.exe how do you want me to send the process monitor logs they are 200MB

Hi, Thanks for the update. 1. Do you filter to the Explorer.exe while capturing the log? 2. Can you identify the Operation when Explorer.exe access the shared files and folders? If you have any questions or concerns, please do not hesitate to let me know.