No delete event IDs in logs even though audit as been defined
Hi, On a Windows server 2008 SP2, I have defined an audit policy for object access and configured a directory to audit. For the audit on the directory, I have checked Create files, Create folders, Delete subfolders and files and Delete. When I create files in this directory I have event IDs related to the creation. Audit for creation is ok. When I try to delete files, I expect to have event ID 4660 and a few others in the security log. But no event IDs appears in the log. The filesystem is on a SAN drive and I access it via a share. There is a problem to audit the deletion of files. Does someone know how to fix this or a way to diagnose the problem? I have pasted the output of gpresult /v below, if it can help. Thanks, Bernard Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0 Copyright (C) Microsoft Corp. 1981-2001 Created On 2010-11-24 at 14:04:44 RSOP data for QWSAS51D\Administrateur on QWSAS51D : Logging Mode ----------------------------------------------------------------- OS Configuration: Member Server OS Version: 6.0.6002 Site Name: Default-First-Site-Name Roaming Profile: N/A Local Profile: C:\Users\Administrateur Connected over a slow link?: No COMPUTER SETTINGS ------------------ CN=QWSAS51D,CN=Computers,DC=inspqlab,DC=qc,DC=ca Last time Group Policy was applied: 2010-11-24 at 13:26:52 Group Policy was applied from: QWWAD51D.inspqlab.qc.ca Group Policy slow link threshold: 500 kbps Domain Name: INSPQLAB Domain Type: Windows 2000 Applied Group Policy Objects ----------------------------- Default Domain Policy The following GPOs were not applied because they were filtered out ------------------------------------------------------------------- Stratégie de groupe locale Filtering: Not Applied (Empty) The computer is a part of the following security groups ------------------------------------------------------- Administrateurs Tout le monde Utilisateurs RESEAU Utilisateurs authentifiés Cette organisation QWSAS51D$ Ordinateurs du domaine Niveau obligatoire système Resultant Set Of Policies for Computer --------------------------------------- Software Installations ---------------------- N/A Startup Scripts --------------- N/A Shutdown Scripts ---------------- N/A Account Policies ---------------- GPO: Default Domain Policy Policy: MaximumPasswordAge Computer Setting: 122 GPO: Default Domain Policy Policy: MinimumPasswordAge Computer Setting: N/A GPO: Default Domain Policy Policy: LockoutBadCount Computer Setting: N/A GPO: Default Domain Policy Policy: PasswordHistorySize Computer Setting: 10 GPO: Default Domain Policy Policy: MinimumPasswordLength Computer Setting: 7 Audit Policy ------------ GPO: Default Domain Policy Policy: AuditAccountManage Computer Setting: Success GPO: Default Domain Policy Policy: AuditAccountLogon Computer Setting: Success, Failure GPO: Default Domain Policy Policy: AuditLogonEvents Computer Setting: Success, Failure GPO: Default Domain Policy Policy: AuditSystemEvents Computer Setting: Success, Failure User Rights ----------- N/A Security Options ---------------- GPO: Default Domain Policy Policy: PasswordComplexity Computer Setting: Enabled GPO: Default Domain Policy Policy: ClearTextPassword Computer Setting: Not Enabled GPO: Default Domain Policy Policy: ForceLogoffWhenHourExpire Computer Setting: Not Enabled GPO: Default Domain Policy Policy: RequireLogonToChangePassword Computer Setting: Not Enabled GPO: Default Domain Policy Policy: LSAAnonymousNameLookup Computer Setting: Not Enabled GPO: Default Domain Policy Policy: @wsecedit.dll,-59058 ValueName: MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash Computer Setting: 1 Event Log Settings ------------------ N/A Restricted Groups ----------------- N/A System Services --------------- N/A Registry Settings ----------------- N/A File System Settings -------------------- N/A Public Key Policies ------------------- N/A Administrative Templates ------------------------ N/A USER SETTINGS -------------- Last time Group Policy was applied: 2010-11-24 at 13:15:39 Group Policy was applied from: N/A Group Policy slow link threshold: 500 kbps Domain Name: QWSAS51D Domain Type: Windows 2000 Applied Group Policy Objects ----------------------------- N/A The following GPOs were not applied because they were filtered out ------------------------------------------------------------------- Local Group Policy Filtering: Not Applied (Empty) The user is a part of the following security groups --------------------------------------------------- None Tout le monde Administrateurs Utilisateurs REMOTE INTERACTIVE LOGON INTERACTIF Utilisateurs authentifiés Cette organisation LOCAL Authentifications NTLM Niveau obligatoire élevé The user has the following security privileges ---------------------------------------------- Bypass traverse checking Manage auditing and security log Back up files and directories Restore files and directories Change the system time Shut down the system Force shutdown from a remote system Take ownership of files or other objects Debug programs Modify firmware environment values Profile system performance Profile single process Increase scheduling priority Load and unload device drivers Create a pagefile Adjust memory quotas for a process Remove computer from docking station Perform volume maintenance tasks Impersonate a client after authentication Create global objects Change the time zone Create symbolic links Act as part of the operating system Replace a process level token Increase a process working set Resultant Set Of Policies for User ----------------------------------- Software Installations ---------------------- N/A Logon Scripts ------------- N/A Logoff Scripts -------------- N/A Public Key Policies ------------------- N/A Administrative Templates ------------------------ N/A Folder Redirection ------------------ N/A Internet Explorer Browser User Interface ---------------------------------------- N/A Internet Explorer Connection ---------------------------- N/A Internet Explorer URLs ---------------------- N/A Internet Explorer Security -------------------------- N/A Internet Explorer Programs -------------------------- N/A
November 24th, 2010 2:13pm

Hi, Please note that before setting up auditing for files and folders, you must enable object access auditing by defining auditing policy settings for the object access event category. Via GP, go to Computer Configuration, Windows Settings, Security Settings, Local Policies, and then Audit Policy, Audit Object Access. I see that you have “defined an audit policy for object access and configured a directory to audit”. Meanwhile, from the gpresult log above, we can see no object access related audit GPO. If you can make sure the policy is defined correctly, please run gpupdate /force on the problematic PC and restart to check the results. If the issue persists, the issue can be caused due to the replication factor. As we know that after a setting is added to a GPO, that change must be replicated throughout the network. If the setting is specified in the GPO but is not listed in the Group Policy Results report on the client, it might be that the change has not yet been replicated to the domain controller that supplied the GPO to the client. Please make sure AD replication is working fine first. If it does not help, please help gather the following files for research. dcdiag /v >c:\dcdiag.txt (run this command from the logon DC) repadmin /showrepl dc* /verbose /all /intersite >c:\repl.txt GPMC Log -------------------- a. On domain controller, click Start -> Run, type GPMC.MSC, it will load the GPMC console. If the GPMC snap-in is not installed, b. Right click on "Group Policy Result" and choose wizard to generate a report for the problematic computer and user account (please place appropriately). (Choose computer and select the proper user in the wizard) c. Right click the resulting group policy result and click the "Save Report…" => save report to save the report to a HTML file. Please locate the saved files for research. Upload these file to the following workspace. You can upload the information files to the following link. (Please choose "Send Files to Microsoft") Workspace URL: (https://sftus.one.microsoft.com/choosetransfer.aspx?key=5b7131e6-d930-422c-9def-e589756a6702) Password: iUDw@KHcE2zz- Note: Due to differences in text formatting with various email clients, the workspace link above may appear to be broken. Please be sure to include all text between '(' and ')' when typing or copying the workspace link into your browser. Meanwhile, please note that files uploaded for more than 72 hours will be deleted automatically. Please ensure to notify me timely after you have uploaded the files. Thank you for your understanding. Thanks. NinaThis posting is provided "AS IS" with no warranties, and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
November 26th, 2010 6:00am

Hi Nina, Thanks for your reply. First, sorry about the gpresult it shouldn't have been there. I tried many things and in the last test, I disabled GPO on the DC and defined local policy on my problem server with secpol.msc. Now I revert back to use GPO as it is the way we would like it to be. But as we have two servers that need audit on object access doing it locally will be ok. Lest try by GPO first. On the DC I defined the Audit Ojbect Access Policy for Sucess and Failure. Here it the output of gpresult /v on my problem server: C:\Users\Administrateur>gpresult /v Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0 Copyright (C) Microsoft Corp. 1981-2001 Created On 2010-11-26 at 08:36:29 RSOP data for QWSAS51D\Administrateur on QWSAS51D : Logging Mode ----------------------------------------------------------------- OS Configuration: Member Server OS Version: 6.0.6002 Site Name: Default-First-Site-Name Roaming Profile: N/A Local Profile: C:\Users\Administrateur Connected over a slow link?: No [snip] Audit Policy ------------ GPO: Default Domain Policy Policy: AuditAccountManage Computer Setting: Success GPO: Default Domain Policy Policy: AuditObjectAccess Computer Setting: Success, Failure GPO: Default Domain Policy Policy: AuditAccountLogon Computer Setting: Success, Failure GPO: Default Domain Policy Policy: AuditLogonEvents Computer Setting: Success, Failure GPO: Default Domain Policy Policy: AuditSystemEvents Computer Setting: Success, Failure [snip] I understand from this output the replication should be fine. Now, if I test by defining an audit on c:\temp and share it. The audit as been defined for the domain users. I then define a network drive on my worstation to access c:\temp on the server. I create and delete files on this share and the appropriate event IDs appear on the security log of the server. First test is ok. I do the same but with another share drive D:\infocentre but the test is not so good. I have event IDs for file creation but nothing for deletion. I think we can come to the conclusion the GPO is fine but there is something more specific to either the drive or the directory where the audit is applied. How can we diagnose such a specific problem? Thanks, Bernard
November 26th, 2010 9:52am

Hi, Thanks for your feedback. According to your description, the GPO is configured and linked correctly. Also, the auditing is working fine on C:\temp. It seems that there is something wrong with the auditing settings for D:\infocentre. Please first double check whether the NTFS and share permission on D:\infocentre is correct. Then, check whether the auditing settings is correct. For more information, you can refer to the following support article: Apply or Modify Auditing Policy Settings for a Local File or Folder http://technet.microsoft.com/en-us/library/cc771070(WS.10).aspx Please double check the inheritable auditing related settings and the "Apply onto" option. If the issue persists, please compare the auditing settings for the temp folder and the infocentre folder. To help narrow down the cause of the issue, please create a file or folder on the server directly instead of on the workstation. What is the result? Thanks. NinaThis posting is provided "AS IS" with no warranties, and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
November 30th, 2010 10:28pm

Hi, The "Apply onto" is set for "this folder, subfolders and files". I did a few tests to try to narrow down the problem. First, I created a local user on the server and did the appropriate setup to audit this user on c:\temp and d:\infocentre. In the security log, I got the right event ids for creation and deletion on those two folder. I did this test directly on the server, not via a share from another computer. Second, with the same user but this time from another computer and shares on the two test folders, I still got the right event ids in the security log. With a local user on the serveur, it works fine. I removed this local user and all auditing configuration related to this user. I went to my AD and setup a new user. On my server, I configured the audit for this new user. Then I did two tests, locally and remotely (with a share) on c:\temp and d:\infocentre, again I have the right event ids in the security log. It works fine for this new user from the AD. Then I tried again with the user id, which is from a real user, that I use since the beginning of this problem. Still the same thing, event ids for creation and deletion of files on c:\temp appear in the security log. For d:\infocentre the security log have only event ids related to the creation of files but nothing for the deletion. Thanks, Bernard
December 2nd, 2010 11:50am

Hi, I am glad to hear the improvement on this issue. Does the issue only occur on this specific user now? Please check it on your side. When set auditing on the folder, did you add this user or add a group? Which group does the user belong to? Thanks. NinaThis posting is provided "AS IS" with no warranties, and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
December 3rd, 2010 10:00am

Hi, Ok, things are getting clearer. When I did the test with c:\temp and d:\infocentre with the newly created user, I created and deleted files in those directories. The tests I did with the real user are done in a subdirectory of d:\infocentre because this real user does not have the right to write in d:\infocentre. After many tests, we found out that even though with check "Apply these auditing entries to objects and/or containers within this container only" and "Replace all existing inheritable auditing entries on all descendants with inheritable auditing entries from this object" the auditing entries are not working for subdirectories. Before someone ask, yes I did check on the subdirectories if the auditing entries were applied and yes they are but the audit is not working. This is true for all our drives on this server and I also tested this on other servers and it is not better. Conclusion: an audit applied on a directory works for this directory but not on his subdirectories. How to fix this? Is it a bug in the OS? Bernard
December 8th, 2010 11:11am

Hi, For your information, if you are setting audit options for a folder and want to audit subfolders within the folder, click the Allow inheritable auditing entries from parent to propagate to this object option. If you are setting audit options for a folder or subfolder and want to audit files within the folder or subfolder, click Reset auditing entries on all child objects and enable propagation of inheritable auditing entries. Please go to the Properties of the subfolder, under Auditing, make sure the settings are inherited correctly. What is the result? Thanks. NinaThis posting is provided "AS IS" with no warranties, and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
December 10th, 2010 5:18am

Hi Nina, Go back to my post of Dec 8. What you ask is exactly what I did. To make it even worst, a colleague from another company tried to do the exact same thing as I do and he had the same problem. He found out that by UNclicking "Apply these auditing entries to objects and/or containers within this container only" and UNclicking "Replace all existing inheritable auditing entries on all descendants with inheritable auditing entries from this object" he got auditing for the subfolders and files under the current folder. To make auditing work, we had to do the opposite of what the documentation says! wowwwwww
December 10th, 2010 8:10am

Hi, Glad to hear that the issue has been resolved. Thanks for your time and efforts. I am sorry for not addressing your concerns clearly. For how to use the above two options, please refer to the following articles: Selecting where to apply auditing entries http://technet.microsoft.com/en-us/library/cc787302(WS.10).aspx#BKMK_selected In the Auditing Entry dialog box, the Apply onto list displays the locations where you can apply auditing entries. How these auditing entries are applied depends on whether the Apply these auditing entries to objects and/or containers within this container only check box is selected. By default, this check box is cleared. Please check the Cleared and Selected section in the article to see how auditing entries are applied. Advanced Security Settings Properties Page - Auditing Tab http://technet.microsoft.com/en-us/library/cc753927.aspx For the “Replace all existing inheritable auditing entries on all descendants with inheritable auditing entries from this object” When selected, auditing settings on this parent object will replace those on its descendant objects. When cleared, auditing settings on each object, whether parent or its descendant, can be unique. By default, it is cleared as well. Thanks. NinaThis posting is provided "AS IS" with no warranties, and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
December 16th, 2010 4:16am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics