Server 2008 R2, I have a GPO setup with Audit File System: Success/Failure enabled.  Per the Technet article, it should generate failure events.  It does not.  

https://technet.microsoft.com/en-us/library/dd772661(v=ws.10).aspx

A 4663 event will generate for successful audits.  I know if I enable Audit Handle Manipulation failures, I can get what I want, the problem is, that audit setting is VERY noisy and not really acceptable in our environment.  Is MS just wrong in this regard or is there a trick to getting this to work?  The SACL is currently set to EVERYONE Full Control Failures.  

Hi,

Server 2008 R2, I have a GPO setup with Audit File System: Success/Failure enabled.  Per the Technet article, it should generate failure events.  It does not.  

Firstly, I suggest you run this command below on local machine where auditing is needed to check whether auditing policy settings are configured correctly:

Auditpol /get /category:*

If not, please run this command below to enable file system auditing:

Auditpol /set /subcategory:File System /failure:enable

More information for you:

Auditpol set

https://technet.microsoft.com/en-us/library/cc755264.aspx

Best Regards,

Amy, 

Thanks for the reply.  Unfortunately, all things appear properly set.  Auditpol /get /category:* shows the proper audit settings, I ran the auditpol command as you wrote to enable File System failures.  There is no change in behavior.  

Hi,

The SACL is currently set to EVERYONE Full Control Failures.  

In my tests, Audit Failures events are logged where users perform actions which they are not allowed, such as Write when only Read permissions are granted.

Best Regards,

Hi Again,

The last reply of mine is based on tests on Windows Server 2012 R2, I have also tested on Windows Server 2008 R2, and I got the same result as yours (without Audit Failures for File System subcategory logged).

After some research, I found out the trick is we need to enable Handle Manipulation subcategory failure auditing, just run:

Auditpol /set /subcatory:Handle Manipulation /failure:enable

After that, its finally working!

Best Regards,

Right, I said in my post that doing that will generate the events. I wrote a script that eliminates the pre set SACLs on any file in c:\window and any sub folder. This allows for Handle Manipulation failures to be enabled because the massive amount of event noise is negated. MS really needs to update their entries for Audit File System and Audit Registry as either seem incapable of generating the 4656 event without Audit Handle Manipulation.

Hi,

My apologies for the delayed response.

I just found official explanation for this behavior.

Here I quote:

Windows XP had an 'Object Access' category, and would enable file and handle logging. This means that an audit event would be generated for both a success and a failure in Windows XP. However, in Windows Vista and above, this functionality was split into file logging and handle logging.

You can read more detailed explanation from this KB article below:

Understanding File and Handle Audit Events in Windows Vista, in Windows Server 2008, in Windows 7, Windows Server 2008 R2, in Windows 8, and in Windows Server 2012

https://support.microsoft.com/en-us/kb/2771404

Best Regards,

Amy

Thanks for the info.   

Welcome:)