0

I'm trying to implement file access auditing on a Windows Server 2019 machine with mixed success.

The server in question is a member server, but not a domain controller.

I have enabled success auditing using a GPO in Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | Audit Policy | Audit Object Access

I know this is effective, because if I revoke this the File Access auditing stops.

I moved to enabling auditing at a folder level, but after I'd set up the auditing for a particular folder I found that the server was logging file access events for every event on the server. I checked back up the folder tree to see if there were any policies being inherited, but I found nothing.

So, with auditing enabled, and no auditing policies in place on any folder from the drive route to the shared folder, file access is still being logged throughout the shared folder.

I have worked across the whole drive and checked the audit policy at every key point: there are no audit policies in place.

If I've understood this process, I should only be seeing audit logs for folders and files with audit log entries, and anything below them where the entries are inherited.

To be quite sure, I took a sample log from the event viewer and followed the path, checking every folder from the drive root to the file. Nowhere did I find an audit entry of any kind.

I'm at a loss. I can enable and disable logging using a GPO, but once enabled I'm getting huge volumes of data I can't control, from logging I don't need or want.

I presume I've missed something here, but I have no idea what.

Suggestions?

Improve this question
4
  • Is there a reason you are using Windows Server 2003 Legacy Auditing and not the modern auditing introduced in 2008?
    – Greg Askew
    Aug 15 at 4:07
  • I'm using the auditing options I see available. I have seen references to Advanced auditing, but the options for those don't appear in my GPO. Am I missing a template, perhaps?
    – CatchAsCatchCan
    Aug 15 at 4:15
  • Advanced Auditing is not controlled with templates. Security Settings\Advanced Audit Policy Configuration\System Audit Policies learn.microsoft.com/en-us/windows/security/threat-protection/…
    – Greg Askew
    Aug 15 at 4:38
  • Thanks to your remark above, I've found it. An initial test seems to work. I hadn't seen Advanced Audit before because it wasn't adjacent to the basic Audit Policy I'd been using, but about a dozen items down the list, which was outside the window. Littlest things eh?
    – CatchAsCatchCan
    Aug 15 at 4:51

1 Answer 1

Reset to default
0

I'd been using the basic Audit Policy in Security Settings | Local Policies.

I should have been using Advanced Audit Policy Configuration, but I hadn't seen that in the GPO because it's elsewhere in the Security Settings list, and not adjacent to Audit Policy, where I'd expected to find it.

Things were further confused because the entry appeared outside the window. A larger window, or a short scroll, or in this case Greg Askew's pointer in the comments got things fixed!

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .