Auditing File Access on File Servers with GPO - Not logging any event

-

hi guys,

im kind of new in please ask regarding audit configuration found in link:

http://blogs.technet.com/b/mspfe/archive/2013/08/27/auditing-file-access-on-file-servers.aspx#comments

so have done audit configuration cant see 4663 or other event related audit configuration on event viewer.

give  abetter overview setup , i've done:

- have lab domain 1 dc, 1 file server (that holds shared folders , files want audit) both of them w2008r2 , 1 windows7 client computer.

- created 1 gpo name 'file server audit policy' configurations mentioned here applied ou contains fileserver - 'gpresult' command tells me gpos applied fileserver 'default domain policy' , 'file server audit policy'

- in fs have 1 folder have shared name 'shares' , under have 3 folders, marketing, finance , it.

- want audit happens on 3 folders create sacl on 'shares' 'everyone' group.

- windows7 client computer, regular user account im able access 'shares' folder (\\fileserver\shares) , other folders , files, many changes (creations, deletions, modification, etc) don auditlog in event viewer, not one.

- on dc , in fs logon/logoff events when access shared files client computer no 4663 event.

guys please bring somelight problem driving crazy after week of testing.

appreciated.

regards.
daniel.

hi wendy,

so problem half solved now, here has been done after lot of research:

- result of "auditpol /get /category:*" on fs server gave me audit policy configuration on server quite different 1 had made on gpo 'file server audit policy'.

- after doing research found link below mentioned related problem applying policies in different ways, quote part caught attention:

"the lack of object access auditing expected: start applying advanced audit configuration policy, legacy policies will ignored. way win7/r2 computer start using legacy policy set security policy “audit: force audit policy subcategory settings (windows vista or later) override audit policy category settings” to disabled. disables use of newer policy type. must clear existing advanced policy machines (auditpol.pol /clear, having blank audit.csv file, etc). system isn't optimal, intention never go back."

http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx

- said case different mine different ways audit settings have been applied, there in common configurations made in gpo not being applied apply them first disabled mentioned security policy (audit: force audit policy subcategory...), cleared existing advanced policy machine (auditpol /clear), forced update of gpo (gpupdate /force),  then ran again "auditpol /get /category:*" , result clean, audit setting appeared "no auditing".

- after had server no auditing policy (remember gpo 'file server audit policy' is linked ou contains fs server @ times). enabled again security policy had disabled , forced again update of gpo, though machine audit configurations of last gpo applied, 'file server audit policy' gpo, surprisingly when ran again"auditpol /get /category:*" result still clean, audit setting appeared "no auditing". pretty discouraging @ moment eh?

- continued research , found below other link 3 steps fix problem. quote solution problem: (i add fourth step run again "gpupdate /force" though)

"i solved following procedure:

  • set every advanced audit configuration item "not configured"
  • run gpupdate /force on relevant systems
  • re-set advanced audit configuration according requirements

i have created failing gpo template had set advanced audit settings. guess there internal mismatch of guids..."

http://serverfault.com/questions/617713/advanced-audit-policy-not-getting-applied-on-2012-r2

- notice changes of advanced audit configuration items has done gpo (in case gpo file server audit policy'). did 4 steps , ran again "auditpol /get /category:*" , configurations had set in gpo applied server ... yayyyyyyyyyy!!!

hope helps having same problem.

but have problem maybe can me wendy. advanced audit configurations applied on fs server through gpo, can see logs "object access: file system" configuration in event viewer (event 4663) can not see yet log "object access: file share" configuration (event 5145) though both of them have been enabled audit "success"

do have idea why i'm not getting 5145 event?

thanks in advance, appreciated.

regards.

daniel.

dw.



Windows Server  >  Group Policy



Comments

Post a Comment

Popular posts from this blog

Motherboard replacement

-
running windows 10 technical preview, need replace motherboard can run the  sysprep  command restoring pc ? or there easier  or more preferred way ? thanks if replace motherboard within same family of chipsets (i.e. intel > intel or amd > amd), should okay restarting pc twice. carey frisch Windows 10 Insider Preview  >  Windows 10 Insider Preview General
Read more

Cannot create Full Text Search catalog after upgrading to V12 - Database is not fully started up or it is not in an ONLINE state

-
in order access new full text search capiblities of sql azure, upgraded our azure sql v12. (a day later), when try create new catalog: create fulltext catalog mycatalog default i following message: msg 9972, level 16, state 100, line 1 database not started or not in online state. try full-text ddl command again after database started , becomes online. hi scott, apologies inconvenience caused you. known issue on service side , fix going included in next update. specific case mitigated, should able use full-text search syntax now. thanks, mihaela Microsoft Azure  >  Azure SQL Database
Read more

Remote Desktop App - Error 0x207 or 0x607

-
hi all, i manage windows 2012 r2 network, including connection broker, session hosts , remote apps virtual servers.  i've used remote desktop app on own android phone, no issues @ - connects published gateway url , can login , access network. we looking move business onto nokia handsets ms operating system (currently on blackberry), not able connect via remote desktop app on nokia lumia handset. setup, per android config , brings remote apps , remote desktop screen, know can connect.  when select remote desktop, shows following process: initiating remote connection securing remote connection certificate can't verified - choose connect it digitally signed cert (digicert sha2), pc name different physical connection broker name (inherited domain name old gov project - can't publish publicly) initiating establishing securing connection error have been 0x207 getting 0x607 a bit baffled, work on android (and ipad @ home using app). assume ms use d...
Read more