Hello all.I have audit running for a user's home folder. Once in awhile, audit would log events of activity where the user traverse the directories, access files, and does ReadData. This is happening even when the actual user isn't doing anything. This activity appears to occur only to this user's account. The Process ID for the event is 4 which I believe is owned by SYSTEM.The folder is served by the DC. So, is there a service process in the DC that traverse directories and does reads? If so, why is it only on this account? And why is it only on certain files(not all)?I'm new to Windows servers and its processes so I apologize in advance if I didn't word things out correctly.Any suggestion or advice is much appreciated... :)jav

Hi ,When you say Folder is served by DC is this a shared folder ? that users access which is hosted on DC ?If so how have you enabled the auditing ?,have you enabled auditing through Group policy using the policy below ?Computer Configuration/Windows Settings/Security Settings/File Systemif you have mentioned the domain users , then user who logs into the system would have the privilige to traverse the folders. Also paste the event id for further understanding.

Hi ,When you say Folder is served by DC is this a shared folder ? that users access which is hosted on DC ?That is correct.#If so how have you enabled the auditing ?,On the folder itself via Properties -> Security -> Advanced -> Auditing've added everyone and selected only the following attributes(Successful / Failed):Traverse Folder / Execute FileList Folder / Read DataCreate Files / Write DataCreate Folders / Append DataDelete Subfolders and FilesDelete#have you enabled auditing through Group policy using the policy below ?Computer Configuration/Windows Settings/Security Settings/File Systemif you have mentioned the domain users , then user who logs into the system would have the privilige to traverse the folders.No Group Policy for auditing defined at this time.#Also paste the event id for further understanding. Here's a sample of the event:Event Type: Success AuditEvent Source: SecurityEvent Category: Object Access Event ID: 560Date: 4/14/2010Time: 1:23:02 PMUser: MYDOMAIN\Test.AccountComputer: MYCOMPUTERDC1Description:Object Open: Object Server: Security Object Type: File Object Name: D:\Users\Test.Account\Documents\ Handle ID: 31044 Operation ID: {0,1121321136} Process ID: 4 Image File Name: Primary User Name: MYCOMPUTERDC1$ Primary Domain: MYDOMAIN Primary Logon ID: (0x0,0x3E7) Client User Name: Test.Account Client Domain: MYDOMAIN Client Logon ID: (0x0,0x42B83B52) Accesses: ReadData (or ListDirectory) Privileges: - Restricted Sid Count: 0 Access Mask: 0x1The event log above is slightly modified to hide the user name, etc, but is the actual event for the user I'm trying to audit. The user happens to be an official in the company and is concerned if someone or something is accessing his files.For example, while monitoring the events, I noticed his home folder and files were being accessed. I went into his office to see if he's doing anything but he's not even there. His screen is locked. I called him and he was out of the building. Asked he's RDP and he's not.I have an actual test.account with its own home folder. I've created test file and left it untouched overnight. The only process traversed through the test.account folder was the backup process.Please advise. thanks,jav