I have some 2008 R2 DCs that I noticed recently as having thousands of 5145 events being logged. In my research this event is logged for any access to any file share (without regard for SACLs) and is set at the Advanced Audit->Object Access->File Share audit setting. The problem is, this advanced audit item is NOT configured on any GPO applying to the DC as verified by RSoP (resultant set of policy). I do have "Audit Object Access" auditing enabled via the the legacy audit method, however as I understand it, it only audits objects that have SACLs set on them. I currently have one SACL set, and that's to track file deletions on the SYSVOL share. Note, running the following command shows ALL of the advanced subcategory audit items as being enabled (including Audit File Share): auditpol /get /category:"Object Access" I found the following article that implies, enabling the legacy audit method for "Audit Object Access" automatically enables all of the advanced subcategories. http://cosonok.blogspot.com/2010/09/getting-loads-thousands-per-second-of.html. This seems to go completely against the description for the legacy "Audit Object Access" item which clearly states only items with SACLs will be audited. Am I missing or misunderstanding something? I realize that I probably should just use the Advanced auditing (and not the legacy items), but I have yet to dig into that. Since the legacy option is there, I'd like to get a firm grasp as to why I'm getting the results I'm getting.

Hi, can you paste a full 51450 event information? I think you can uncheck the success of Audit Object access for a test.

Here is the text of the 5145 event. Also I cannot disable successful audits for Object Access, as there are some cases where this auditing is required. I fully understand the issue... turning on Object Access logging using the legacy auditing method will enable all subcategories audit items (which includes items to log audit items regardless of SACLs being present or not). I just don't understand why that is, as that in itself violates what Object Access logging is intended for, per the explanation text of that audit item, which is to only log non-AD objects but only if they have SACLs defined. Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 3/7/2011 9:19:24 PM Event ID: 5145 Task Category: Detailed File Share Level: Information Keywords: Audit Success User: N/A Computer: APACBLR01DCX02.APAC.FADV.NET Description: A network share object was checked to see whether client can be granted desired access. Subject: Security ID: APAC\BLR01SSDPRI$ Account Name: BLR01SSDPRI$ Account Domain: APAC Logon ID: 0x408eb6d Network Information: Object Type: File Source Address: 10.254.67.82 Source Port: 1502 Share Information: Share Name: \\*\IPC$ Share Path: Relative Target Name: \ Access Request Information: Access Mask: 0x80 Accesses: ReadAttributes Access Check Results: *XML info stripped*

Hi Matthew, RSoP cannot display the result of Advanced Audit Policy. You can verify the result by run the following command in CMD window: auditpol.exe /get /category:* I have enabled the legacy audit policy: Audit object access. It did not enable the Audit Detailed File Share. Currently, I suggest you use GPMC to collect a Group Policy Results for this computer and check it: 1. Open GPMC, right-click Group Policy Results on the left pane. 2. Choose Group Policy Results Wizard, follow the wizard to collect a Group Policy result for problematic computer. 3. After that, highlight the result on the left pane. Click the Settings on the right pane. Then, you can find which GPO enabled the Audit Detailed File Share. Regards, BruceThis posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Thanks for your reply Bruce, My apologies... I must clarify that when I stated I ran an RSoP, I actually meant that I ran the GPMC Group Policy Results. All Advanced Audit Policy items were marked "Not Configured", yet the auditpol.exe command shows they all were. I've even checked the local security policy. Nothing is configured anywhere, outside of the legacy audit policy. I'm not sure why you can't replicate my results, as every 2008 R2 domain that I have configured currently show this exact scenario. Moreover, the link I provided backs the claim. Thanks, Matthew

Hi Matthew, Please save the GPMC Group Policy Results and upload to this space (Please choose "Send Files to Microsoft"): Workspace URL: https://sftasia.one.microsoft.com/choosetransfer.aspx?key=3f16286c-1b1d-4e19-abb4-af78342387ef Password: K*#pr+G3At$Ve Meanwhile, please let me know the detailed steps that you used to enable the legacy audit policy: Audit object access. I will test in my lab again. Regards, Bruce This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

I uploaded a zip file named AuditPolicyTroubleshooting.zip. Please note: The original domain I was troubleshooting somehow has those configuration options turned off! I have no idea who/what turned them off. I have a suspicion that one of my domain admins made some changes after me bringing this issue to their attention, however I'm unsure who as no one is owning up to it. As such the zip file attached is from another domain also confirmed to have this issue. I saw some event log entries citing these audit items were in fact being turned off, but it does not reference the user who initiated the change. The group policy is also unchanged. How do I find out who/what did this? Moreover, HOW did they do it, if not through local and/or group policy? Maybe with the Auditpol command itself? Wouldn't it log who did it, especially since auditing (was) turned on for everything? As far as my normal process, usually when I set auditing rules, I just open the Default Domain Controllers policy and drill down to the (legacy) Audit Policy section, then set Success and Failure for all options. I have never gone into the Advanced Audit section. This is all I have ever done. Maybe something else specifically enabled it, I dunno. Example event log entry as mentioned above: Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 3/8/2011 1:20:55 PM Event ID: 4719 Task Category: Audit Policy Change Level: Information Keywords: Audit Success User: N/A Computer: APACBLR01DCX02.APAC.FADV.NET Description: System audit policy was changed. Subject: Security ID: SYSTEM Account Name: APACBLR01DCX02$ Account Domain: APAC Logon ID: 0x3e7 Audit Policy Change: Category: Object Access Subcategory: File Share Subcategory GUID: {0cce9224-69ae-11d9-bed3-505054503030} Changes: Success removed, Failure removed Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> <EventID>4719</EventID> <Version>0</Version> <Level>0</Level> <Task>13568</Task> <Opcode>0</Opcode> <Keywords>0x8020000000000000</Keywords> <TimeCreated SystemTime="2011-03-08T07:50:55.403280900Z" /> <EventRecordID>110618495</EventRecordID> <Correlation /> <Execution ProcessID="480" ThreadID="2700" /> <Channel>Security</Channel> <Computer>APACBLR01DCX02.APAC.FADV.NET</Computer> <Security /> </System> <EventData> <Data Name="SubjectUserSid">S-1-5-18</Data> <Data Name="SubjectUserName">APACBLR01DCX02$</Data> <Data Name="SubjectDomainName">APAC</Data> <Data Name="SubjectLogonId">0x3e7</Data> <Data Name="CategoryId">%%8274</Data> <Data Name="SubcategoryId">%%12808</Data> <Data Name="SubcategoryGuid">{0CCE9224-69AE-11D9-BED3-505054503030}</Data> <Data Name="AuditPolicyChanges">%%8448, %%8450</Data> </EventData> </Event>

It looks like this has now turned into an even bigger problem. It appears NO auditing is being done now. Something turned it off, yet the Group Policy Results shows it clearly still defined. AuditPol C:\Windows\system32>auditpol /get /category:* System audit policy Category/Subcategory Setting System Security System Extension No Auditing System Integrity No Auditing IPsec Driver No Auditing Other System Events No Auditing Security State Change No Auditing Logon/Logoff Logon No Auditing Logoff No Auditing Account Lockout No Auditing IPsec Main Mode No Auditing IPsec Quick Mode No Auditing IPsec Extended Mode No Auditing Special Logon No Auditing Other Logon/Logoff Events No Auditing Network Policy Server No Auditing Object Access File System No Auditing Registry No Auditing Kernel Object No Auditing SAM No Auditing Certification Services No Auditing Application Generated No Auditing Handle Manipulation No Auditing File Share No Auditing Filtering Platform Packet Drop No Auditing Filtering Platform Connection No Auditing Other Object Access Events No Auditing Detailed File Share No Auditing Privilege Use Sensitive Privilege Use No Auditing Non Sensitive Privilege Use No Auditing Other Privilege Use Events No Auditing Detailed Tracking Process Termination No Auditing DPAPI Activity No Auditing RPC Events No Auditing Process Creation No Auditing Policy Change Audit Policy Change No Auditing Authentication Policy Change No Auditing Authorization Policy Change No Auditing MPSSVC Rule-Level Policy Change No Auditing Filtering Platform Policy Change No Auditing Other Policy Change Events No Auditing Account Management User Account Management No Auditing Computer Account Management No Auditing Security Group Management No Auditing Distribution Group Management No Auditing Application Group Management No Auditing Other Account Management Events No Auditing DS Access Directory Service Changes No Auditing Directory Service Replication No Auditing Detailed Directory Service Replication No Auditing Directory Service Access No Auditing Account Logon Kerberos Service Ticket Operations No Auditing Other Account Logon Events No Auditing Kerberos Authentication Service No Auditing Credential Validation No Auditing Group Policy Results Local Policies/Audit Policyhide Policy Setting Winning GPO Audit account logon events Success, Failure Default Domain Controllers Policy Audit account management Success, Failure Default Domain Controllers Policy Audit directory service access Success, Failure Default Domain Controllers Policy Audit logon events Success, Failure Default Domain Controllers Policy Audit object access Success, Failure Default Domain Controllers Policy Audit policy change Success Default Domain Controllers Policy Audit privilege use Failure Default Domain Controllers Policy Audit process tracking No auditing Default Domain Controllers Policy Audit system events Success Default Domain Controllers Policy

Hi, Is there someone else who can modify the GPO? I have not received your last zip file. Currently, please collect the latest Group Policy Results using the wizard in GPMC and upload to this space (Please choose "Send Files to Microsoft"): Workspace URL: (https://sftasia.one.microsoft.com/choosetransfer.aspx?key=a7b874fc-3a7d-41d8-a46e-869cae79798e) Password: 6GsLqh8s#o1 Meanwhile, if the issue is urgent to your business, it is recommended that you contact Microsoft Customer Support Services (CSS) via telephone so that a dedicated Support Professional can assist you in a more efficient manner. To obtain the phone numbers for specific technology request please take a look at the web site listed below. http://support.microsoft.com/default.aspx?scid=fh;EN-US;PHONENUMBERS If you are outside the US please see http://support.microsoft.com for regional support phone numbers. Regards, BruceThis posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

I uploaded the file again. The file, FADV_Auditing_Issues.zip, was uploaded successfully. Send Files - Standard File Name : FADV_Auditing_Issues.zip Start Time : Thu, 24 Mar 2011 13:15:26 UTC End Time : Thu,24 Mar 2011 13:15:24 UTC Time Taken : -2 seconds This is not an urgent matter. Also, while there are others that *can* make GPO changes, I'm really the only one that does. On the domain that ended up having auditing completely disabled (per AuditPol) regardless of what was configured in GPO, we were not able to find the cause. We did, however, find that by simply replacing the legacy audit configuration with the Advanced Audit Policy configuration (within the only GPO it was defined in) ended up fixing the issue entirely for that domain. That was the only change that was made! Ultimately this makes no sense. But anyway, my other two domains still have just the legacy auditing enabled, yet AuditPol shows every setting as being configured for success/failure. I'm still not understanding this. Again based on the research I did, other people have noticed this same thing, which lead me to believe it was normal, but you saying it does not happen for you makes me wonder if it is in fact normal. I'm looking forward to your reply to the information that was sent.

I am noting similar behaiour in a Windows 2003 domain that has introduced a Windows 2008 member serverbeing used for a File Share only; the Windows 2008 member server security log is being pounded with event ID 5145; since this thread seems to be dealing with why a Security log on a Windows 2008 Server is being filled with Event ID 5145 enties that cannot be traced back to a known "enabled" state - can you advise if anything new has been determined on this? I have run the suggested commands as outlined above and cannot account for why these events are occuring.

Glen, What are the results of the following command being ran on the 2008 member server? auditpol /get /category:* I haven't found any further information regarding this topic. At this point I'm just relying on configuring the advanced audit policy vs. the legacy policy. -Matthew

To summarize: AAP is used even if all the categories say "Unconfigured" in GPOwhen you change any of categories, you receive "No auditing" in all categories. The fix is to force using AAP via GP and setup granular audits. Today I have the same issue as the topic starter. Looks like a bug.

I haven't found any further information regarding this topic. At this point I'm just relying on configuring the advanced audit policy vs. the legacy policy. -Matthew Hi Matthew, I'm in the same boat you are. After editing any portion of AAP, and then setting all categories to "not configured" it seems as if legal policy no longer has any affect on logging. Have to rely on AAP audit at a granular level. If you should ever happen to find a resolution to this, PLEASE share. -Eric

Matthew, I found the answer to the problem.. read here. http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/79820070-de59-43ef-9f95-1441e23bb5ca