This should be simple, right, configure auditing on the file system and set the audit policies to audit object access. It did get a little more complecated in Windows Server 2008 but it seems straight forward enough. Here are my settings File Auditing Failure Everyone Full Control This folder, subfolders and files Object Access File System Success and Failure Global Object Access Auditing : File All Everyone Change permissions, Take ownership Failure Everyone Full Control Local Policies/Audit Policy Audit object access Success, Failure Is there anything else I should be looking at? Thanks, JoeJoseph M. Durnal MCM: Exchange 2010 MCITP: Enterprise Messaging Administrator, Exchange 2010 MCITP: Enterprise Messaging Administrator In Progress: MCITP: Enterprise Administrator

Hi Joe, Before we go further, I would like to confirm if any users which has no permission to access the audited folder have tried to access this folder. If not, it is expected that there is no failure event. Meanwhile, if you would like to audit specific folders, you do not need to enable Global Object Access Auditing as it will create System Access Control Lists (SACL) for the entire computer, based on file and registry. Enabling file or folder auditing is a 2-step process: 1. Configure "audit object access" in AD Group Policy or on the server's local GPO. This setting is located under Computer Configuration-->Windows Settings-->Security Settings-->Local Policies-->Audit Policies. Enable success/failure auditing for "Audit object access." 2. Configure an audit entry on the specific folder(s) that you wish to audit. Right-click on the folder-->Properties-->Advanced. From the Auditing tab, click Add, then enter the users/groups whom you wish to audit and what actions you wish to audit - auditing Full Control will create an audit entry every time anyone opens/changes/closes/deletes a file. Hope this helps. Regards, Bruce

Confirmed, I had another administrator deny access to my account to a specific file and when I tried to open it, I got an access denied message. I've convigured the settings described in #1 & #2, that's why I'm confused because it doesn't seem to be working. I would like to use Global Object Access Auditing at some point, it should keep things a lot simpler. Some screen captures: Joseph M. Durnal MCM: Exchange 2010 MCITP: Enterprise Messaging Administrator, Exchange 2010 MCITP: Enterprise Messaging Administrator, MCITP: Enterprise Administrator

can you find any failure event with Filter off? or change the keyword to failure for a test

Hi, I have used the steps as I first reply in this thread to test the Audit Object Access policy in Windows Server 2008 R2 lab. It worked fine. The Event ID is 4656. At this point, please make sure to check the event viewer on the local computer where the test2.txt file resides. Then, filter using the event ID 4656. Regards, Bruce