Server 2008 R2, I have a GPO setup with Audit File System: Success/Failure enabled. Per the Technet article, it should generate failure events. It does not.
https://technet.microsoft.com/en-us/library/dd772661(v=ws.10).aspx
A 4663 event will generate for successful audits. I know if I enable Audit Handle Manipulation failures, I can get what I want, the problem is, that audit setting is VERY noisy and not really acceptable in our environment. Is MS just wrong in this regard or is there a trick to getting this to work? The SACL is currently set to EVERYONE Full Control Failures.