File Access Auditing.
I am having some problems turning this on. It seems like it is not set in group policies on our Windows Server 2008 R2 SP1.

In GPedit on the server I can set either

Under Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy  > Audit Object Access

or

Under Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Object Audit > Audit File System.

It works for a while until Group Policies on that server refresh. If I set either of those in Group Policy Management then the option it grayed out on the local server and still turned off. I cannot find any place in any GPO that is setting the policy to off.

When I run modeling to tell me where the setting is coming from, it is either empty or it shows that I have turned it on in group policies. But it is not turned on. It is turned off.
February 23rd, 2015 9:34am

you should enable "advanced audit policy" as these settings refer to the new audit policies introduced in 2008.

This step-by-step explains what is needed for succesfull auditing.

Also note that the local gpedit tool does not reflect all settings made by GPO. To review audit settings, you should solely rely on the command line tool  auditpol.exe

Free Windows Admin Tool Kit Click here and download it now
February 23rd, 2015 9:53am

As the server is Windows Server 2008 R2, I would recommend using the Advanced Audit Policy Configuration (Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\) as opposed to the older Audit Policy (Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\) .

Please refer to this informative technet blog that would be a good start-up : http://blogs.technet.com/b/mspfe/archive/2013/08/27/auditing-file-access-on-file-servers.aspx

Moreover, if you wish to manage this task automatically, you may also consider on LepideAuditor suite (http://www.lepide.com/file-server-audit/) that could be a good alternative approach while need to audit file access into real time even at granular level. Please have a look on this blog : Auditing File Access and File Share for step-wise instructions.

February 24th, 2015 4:54am

You should use gpmc.msc not gpedit.msc otherwise your local policy is overwritten by domain one. (that's why it works for a while and then stops)

Here is a simple guide: https://gallery.technet.microsoft.com/File-Server-Auditing-Quick-79f8a739

Free Windows Admin Tool Kit Click here and download it now
February 24th, 2015 5:23am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics