I think I may need a little handholding here. I have been working with our new Windows 2008 R2 file server. I am having a problem doing some simple file level auditing. I turned on Audit Object Access in the local policy. The GPO that applies to this server does not have it set and I only really need it enabled on this server. I have it auditing success and Failure. After I did that I got deluged with Event ID: 5145. I went to each folder and made sure that I had auditing turned off for each folder and file. I did that to see if it would quite down the logs a little. It did not. I am currently getting about 1500 events of 5145 every second. They all say A network share object was checked to see whether client can be granted desired access Most of the details look like this: - System - Provider [ Name] Microsoft-Windows-Security-Auditing [ Guid] {54849625-5478-4994-A5BA-3E3B0328C30D} EventID 5145 Version 0 Level 0 Task 12811 Opcode 0 Keywords 0x8020000000000000 - TimeCreated [ SystemTime] 2009-10-21T17:27:06.988998000Z EventRecordID 4035441 Correlation - Execution [ ProcessID] 528 [ ThreadID] 544 Channel Security Computer XXXXX-File.XXXXX.com Security - EventData SubjectUserSid S-1-5-21-619530815-2141852887-1629300891-2071 SubjectUserName SteveW SubjectDomainName XXXXXXXXXX SubjectLogonId 0x223b087c ObjectType File IpAddress 10.2.50.88 IpPort 1087 ShareName \\*\users ShareLocalPath \??\E:\shares\users RelativeTargetName \ AccessMask 0x1 AccessList %%4416 AccessReason %%4416: %%1801 D:(A;OICI;FA;;;WD) All I am trying to keep track of at this point is logon and logoff events AND files and folders being deleted. If I have put this into the wrong folder please let me know.

its in fact File Share Access auditing. more in a second....

its in fact File Share Access auditing. more in a second....

try this:auditpol /get /category:"Object Access"you will see the actuall subcategories of the granular auditing. Starting with Vista/2k8, you have the ability to granullarly configure each auditing class (normally enabled/disabled as a whole in the policy) for each subcategory. Starting with Vista, there is this new auditing for File Share which generates the audit records every time someone accesses the share whate the NTFS Auditing is, because for NTFS auditing, there is another subcategory called File System.Starting with 7/2k8R2, you can also configure this by using Local Security Policy (or even GPO edited from 2k8R2/7), there is a new node called Advanced Audit Policy Configurationo.

Ok so if I understand correctly I should be able to go into advanced audit policy and then object Access and turn off the file share audit. By default they are set to Not Configured, but when I ran the command you provided it appears that they are all being audited. My other question is that I think I saw a warning not to have both set at the same time. Meaning don't use the base audit policy and then also use the advanced audit policy at the same time. Maybe I read that wrong though.

Ok so if I understand correctly I should be able to go into advanced audit policy and then object Access and turn off the file share audit. By default they are set to Not Configured, but when I ran the command you provided it appears that they are all being audited. My other question is that I think I saw a warning not to have both set at the same time. Meaning don't use the base audit policy and then also use the advanced audit policy at the same time. Maybe I read that wrong though.

correct. when you enable the old auditing, you are enabling all the subcategories together. you need to use the Advanced Auditing or the AUDITPOL to configure the subcategories individually.o.

correct. when you enable the old auditing, you are enabling all the subcategories together. you need to use the Advanced Auditing or the AUDITPOL to configure the subcategories individually.o.

I made changes to Advanced Audit Policy > Object Access so that only File System is selected Success and Failure. I have setup auditing on a test folder to audit Delete and Delete subfolders and files Successful of Failed. When I do delete these files I only seem to get Event ID 4663 (object was accessed) and 4660 (Object was deleted). So I am getting what I need. Event ID 4663 tells me the user name, object and type of access!!! Thank you for your help!

I made changes to Advanced Audit Policy > Object Access so that only File System is selected Success and Failure. I have setup auditing on a test folder to audit Delete and Delete subfolders and files Successful of Failed. When I do delete these files I only seem to get Event ID 4663 (object was accessed) and 4660 (Object was deleted). So I am getting what I need. Event ID 4663 tells me the user name, object and type of access!!! Thank you for your help!

I just wanted to thank you guys from the bottom of my heart, for this thread just solved the issue that has been driving me crazy for the last 2 weeks! Great piece of info, thank you again!

I just wanted to thank you guys from the bottom of my heart, for this thread just solved the issue that has been driving me crazy for the last 2 weeks! Great piece of info, thank you again!

Thanks for this thread... I had tried to tweak this and upped the security log max to 100MB and it was still filling up every day now I am just getting the "delete" flags audited that I want.

Thanks for this thread... I had tried to tweak this and upped the security log max to 100MB and it was still filling up every day now I am just getting the "delete" flags audited that I want.

Another thankful reader here! I was getting the log filled up with Event ID 5145, but after clearing audit settings and enabling only "File System", I get Event ID 4660 and 4663 to track deleted files. Perfect!!

Another thankful reader here! I was getting the log filled up with Event ID 5145, but after clearing audit settings and enabling only "File System", I get Event ID 4660 and 4663 to track deleted files. Perfect!!

Exactly what I was after! Thanks

Exactly what I was after! Thanks

How about audit not running in the 3rd sub-folder?

How about audit not running in the 3rd sub-folder?