Re: XPP on Domain - can I make Directories private - even from Admin?

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Oli Restorick [MVP] (oli_at_mvps.org)
Date: 11/15/04 

Date: Mon, 15 Nov 2004 18:32:07 -0000

What's to stop an administrator removing things from the event log?.

Oli

"David Candy" <.> wrote in message
news:eqaTvfuyEHA.4004@tk2msftngp13.phx.gbl...
Most bouncers are maori.

Try this again

http://www.smh.com.au/news/National/Hookes-threw-two-punches-at-bouncer/2004/11/15/1100384470331.html 

-- 
----------------------------------------------------------
http://www.uscricket.com
"WSF" <someone@microsoft.com> wrote in message 
news:2_Xld.1923$9A.83558@news.xtra.co.nz...
> Thanks again David,
> Plenty for me to look at and try.
> I appreciate your help.
>
> Hmm, a cricket buff eh?
> Do you have any tips for the NZL Blackcaps?
> We're in Aussie presently for a three match test series.
> Lambs to the slaughter methinks!
>
> Cheers,
> Bill Fraser
>
> David Candy wrote:
>> Yes. Turn on Auditing for the folders.
>>
>> 1. You must enable Auditing for the machine (in Local Security Policy - 
>> see Help).
>>
>> 2. You must specify what to audit. You do this the same place you set 
>> permissions (click Advanced).
>>
>> Then you can read it in the Event Viewer
>>
>>
>> Audit object access
>> Computer Configuration\Windows Settings\Security Settings\Local 
>> Policies\Audit Policy
>>
>> Description
>> Determines whether to audit the event of a user accessing an object-for 
>> example, a file, folder, registry key, printer, and so forth-that has its 
>> own system access control list (SACL) specified.
>>
>> If you define this policy setting, you can specify whether to audit 
>> successes, audit failures, or not audit the event type at all. Success 
>> audits generate an audit entry when a user successfully accesses an 
>> object that has a SACL specified. Failure audits generate an audit entry 
>> when a user unsuccessfully attempts to access an object that has a SACL 
>> specified. To set this value to no auditing, in the Properties dialog box 
>> for this policy setting, select the Define these policy settings check 
>> box and clear the Success and Failure check boxes.
>>
>> Note that you can set a SACL on a file system object using the Security 
>> tab in that object's Properties dialog box.
>>
>> Default: No auditing.
>>
>>
>>
>> Then set auditing for your drives in the Drives Properties - Security - 
>> Advanced - Auditing
>>
>> You have to turn it on then set what is to be audited.
>>
>> This is what a audit for a printer looks like
>>
>> Object Open:
>> Object Server: Spooler
>> Object Type: Document
>> Object Name: 
>> http://smh.com.au/news/opinion/webdiary/index.html?from=lhsnav
>> Handle ID: 9487952
>> Operation ID: {-,-}
>> Process ID: 1020
>> Image File Name: C:\WINDOWS\system32\spoolsv.exe
>> Primary User Name: SERENITY$
>> Primary Domain: WORKGROUP
>> Primary Logon ID: (0x0,0x3E7)
>> Client User Name: David Candy
>> Client Domain: SERENITY
>> Client Logon ID: (0x0,0xE179)
>> Accesses: READ_CONTROL
>> %%6949
>> Privileges: -
>> Restricted Sid Count: 0
>> For more information, see Help and Support Center at
>>
>> Big companies have programs that look through these logs. You can use a 
>> spread***.
Quantcast