Re: XPP on Domain - can I make Directories private - even from Admin?

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: WSF (someone_at_microsoft.com)
Date: 11/15/04 

Date: Mon, 15 Nov 2004 19:28:04 +1300

Thanks again David,
Plenty for me to look at and try.
I appreciate your help.

Hmm, a cricket buff eh?
Do you have any tips for the NZL Blackcaps?
We're in Aussie presently for a three match test series.
Lambs to the slaughter methinks!

Cheers,
Bill Fraser

David Candy wrote:
> Yes. Turn on Auditing for the folders.
>
> 1. You must enable Auditing for the machine (in Local Security Policy - see Help).
>
> 2. You must specify what to audit. You do this the same place you set permissions (click Advanced).
>
> Then you can read it in the Event Viewer
>
>
> Audit object access
> Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy
>
> Description
> Determines whether to audit the event of a user accessing an object-for example, a file, folder, registry key, printer, and so forth-that has its own system access control list (SACL) specified.
>
> If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when a user successfully accesses an object that has a SACL specified. Failure audits generate an audit entry when a user unsuccessfully attempts to access an object that has a SACL specified. To set this value to no auditing, in the Properties dialog box for this policy setting, select the Define these policy settings check box and clear the Success and Failure check boxes.
>
> Note that you can set a SACL on a file system object using the Security tab in that object's Properties dialog box.
>
> Default: No auditing.
>
>
>
> Then set auditing for your drives in the Drives Properties - Security - Advanced - Auditing
>
> You have to turn it on then set what is to be audited.
>
> This is what a audit for a printer looks like
>
> Object Open:
> Object Server: Spooler
> Object Type: Document
> Object Name: http://smh.com.au/news/opinion/webdiary/index.html?from=lhsnav
> Handle ID: 9487952
> Operation ID: {-,-}
> Process ID: 1020
> Image File Name: C:\WINDOWS\system32\spoolsv.exe
> Primary User Name: SERENITY$
> Primary Domain: WORKGROUP
> Primary Logon ID: (0x0,0x3E7)
> Client User Name: David Candy
> Client Domain: SERENITY
> Client Logon ID: (0x0,0xE179)
> Accesses: READ_CONTROL
> %%6949
> Privileges: -
> Restricted Sid Count: 0
> For more information, see Help and Support Center at
>
> Big companies have programs that look through these logs. You can use a spread***.

Quantcast