auditing file share on windows 2008 R2
I think I may need a little handholding here. I have been working with our new Windows 2008 R2 file server. I am having a problem doing some simple file level auditing. I turned on Audit Object Access in the local policy. The GPO that applies to this server does not have it set and I only really need it enabled on this server. I have it auditing success and Failure. After I did that I got deluged with Event ID: 5145. I went to each folder and made sure that I had auditing turned off for each folder and file. I did that to see if it would quite down the logs a little. It did not. I am currently getting about 1500 events of 5145 every second. They all say A network share object was checked to see whether client can be granted desired access Most of the details look like this: - System - Provider [ Name] Microsoft-Windows-Security-Auditing [ Guid] {54849625-5478-4994-A5BA-3E3B0328C30D} EventID 5145 Version 0 Level 0 Task 12811 Opcode 0 Keywords 0x8020000000000000 - TimeCreated [ SystemTime] 2009-10-21T17:27:06.988998000Z EventRecordID 4035441 Correlation - Execution [ ProcessID] 528 [ ThreadID] 544 Channel Security Computer XXXXX-File.XXXXX.com Security - EventData SubjectUserSid S-1-5-21-619530815-2141852887-1629300891-2071 SubjectUserName SteveW SubjectDomainName XXXXXXXXXX SubjectLogonId 0x223b087c ObjectType File IpAddress 10.2.50.88 IpPort 1087 ShareName \\*\users ShareLocalPath \??\E:\shares\users RelativeTargetName \ AccessMask 0x1 AccessList %%4416 AccessReason %%4416: %%1801 D:(A;OICI;FA;;;WD) All I am trying to keep track of at this point is logon and logoff events AND files and folders being deleted. If I have put this into the wrong folder please let me know.
October 21st, 2009 8:40pm

its in fact File Share Access auditing. more in a second....
Free Windows Admin Tool Kit Click here and download it now
October 22nd, 2009 5:16pm

try this:auditpol /get /category:"Object Access"you will see the actuall subcategories of the granular auditing. Starting with Vista/2k8, you have the ability to granullarly configure each auditing class (normally enabled/disabled as a whole in the policy) for each subcategory. Starting with Vista, there is this new auditing for File Share which generates the audit records every time someone accesses the share whate the NTFS Auditing is, because for NTFS auditing, there is another subcategory called File System.Starting with 7/2k8R2, you can also configure this by using Local Security Policy (or even GPO edited from 2k8R2/7), there is a new node called Advanced Audit Policy Configurationo.
October 22nd, 2009 5:20pm

Ok so if I understand correctly I should be able to go into advanced audit policy and then object Access and turn off the file share audit. By default they are set to Not Configured, but when I ran the command you provided it appears that they are all being audited. My other question is that I think I saw a warning not to have both set at the same time. Meaning don't use the base audit policy and then also use the advanced audit policy at the same time. Maybe I read that wrong though.
Free Windows Admin Tool Kit Click here and download it now
October 22nd, 2009 6:43pm

correct. when you enable the old auditing, you are enabling all the subcategories together. you need to use the Advanced Auditing or the AUDITPOL to configure the subcategories individually.o.
October 22nd, 2009 6:53pm

I made changes to Advanced Audit Policy > Object Access so that only File System is selected Success and Failure. I have setup auditing on a test folder to audit Delete and Delete subfolders and files Successful of Failed. When I do delete these files I only seem to get Event ID 4663 (object was accessed) and 4660 (Object was deleted). So I am getting what I need. Event ID 4663 tells me the user name, object and type of access!!! Thank you for your help!
Free Windows Admin Tool Kit Click here and download it now
October 22nd, 2009 7:13pm

I just wanted to thank you guys from the bottom of my heart, for this thread just solved the issue that has been driving me crazy for the last 2 weeks! Great piece of info, thank you again!
October 19th, 2010 11:58am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics