Hi, I am trying to configure file and folder access auditing on a 2008 R2 server. I have enabled object access auditing as well as added the required groups to be audited in the 'auditing' tab on the required folders. After testing I am seeing event id 5140 in the security event log with the correct username however the share name information is always \\*\IPC$. Is this correct or should it report the name of the audited folder being accessed? Thanks

The IPC$ share is used with temporary connections between clients and servers by using named pipes for communication among network programs. It is primarily used for to remotely administer network servers. Normally for event id 5140 you shuld see \\*\sharedfolder. Make sure you correctly configured the objec access settings. Try running this on the server hosting the shares: auditpol /get /category:"Object Access" maybe it will help. MCTS - Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. http://mariusene.wordpress.com/

The auditpol results as follows:

Hi, Thank you for your post. To audit share folder, you also need to enable audit on your folder: Right click on the folder--Properties--Security--Advanced--Auditing tab--click Edit--Add everyone--select Full control audit successful and failed If there are more inquiries on this issue, please feel free to let us know. Regards,Rick Tan TechNet Community Support

Hi Jan, I have 2 shared folders on my SBS 2008 server where I set up audit - I did config of local policy. You must config the policy in domain policy instead of local policy. Run RSOP.msc to check the audit object policy by which domain policy. Please check the KB310399 mentioned Troubleshooting part state: .The hard disk must be formatted with the NTFS file system for auditing to work. .If your computer is a member of a domain and the administrator has set domain-level auditing policies, those policies override these local settings. RegardsRick Tan TechNet Community Support

Hi Rick, thank you for answer, but no success at this time. I did these things before you reply to me, but there is no chance to edit Advance audit policy. I am able to allow audit - audit object access but then I see tons of event logs which are no needed. I found that I can reduce these log by setting of Advanced Audit Policies... I didnt find this policy in my RSOP.msc. I found some information that SBS 2008 dont allow this policy... Is it right? http://www.ultimatewindowssecurity.com/wiki/WindowsSecuritySettings/Recommended-Baseline-Audit-Policy-for-Windows-Server-2008 Thanks, Janerý

Hi, Is there possibility to manage advanced audit policy on SBS 2008? To process advanced audit policy, client computers must be running Windows Server 2008 R2 or Windows 7. But SBS2008 is based on Windows 2008 not R2. I found some information that SBS 2008 dont allow this policy... Is it right? Like your posted article "Recommended Baseline Audit Policy for Windows Server 2008", the Auditpol.exe command(not policy) could let you manage audit policies at a more detailed level by using audit policy subcategories when: 1. Local Policies--Audit Policy set to enabled audit success or failure (not defined means disabled audit by default) 2. Security options--Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings policy set to enabled (enabled by default) 3. Use the Auditpol.exe command to configure detailed security auditing settings like KB921469 auditpol /clear auditpol /set /subcategory:"File Share" /success:enable /failure:enable .... Regards Rick Tan TechNet Community Support

Hi Rick, so this ideas should solve problem with eventlog. but how can I solve problem with eventlog 5140 where is wrong network path? \\.\IPC* Thanks, Janerý

Audit is running but I am not able to know which file had been deleted and who deleted it. It is not very useful. And missing advanced audit policy setting is not good too.erý

Hey, is there a way to enable audit on the folder from the command-line on Windows 2008 Server R2? Thx

Since nobody answered your question - no, seemingly not. But you can configure it through classic GPO settings (Computer - Policies - Windows Settings - Security Settings - File System) regards, MartinNO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs? Wenn meine Antwort hilfreich war, freue ich mich ber eine Bewertung! If my answer was helpful, I'm glad about a rating!