Re: XPP on Domain - can I make Directories private - even from Admin?

From: David Candy (.)
Date: 11/14/04

  • Next message: CWatters: "Re: This is ridiculous" 
    Date: Sun, 14 Nov 2004 20:35:57 +1100

    Yes. Turn on Auditing for the folders.

    1. You must enable Auditing for the machine (in Local Security Policy - see Help).

    2. You must specify what to audit. You do this the same place you set permissions (click Advanced).

    Then you can read it in the Event Viewer

    Audit object access
    Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy

    Description
    Determines whether to audit the event of a user accessing an object-for example, a file, folder, registry key, printer, and so forth-that has its own system access control list (SACL) specified.

    If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when a user successfully accesses an object that has a SACL specified. Failure audits generate an audit entry when a user unsuccessfully attempts to access an object that has a SACL specified. To set this value to no auditing, in the Properties dialog box for this policy setting, select the Define these policy settings check box and clear the Success and Failure check boxes.

    Note that you can set a SACL on a file system object using the Security tab in that object's Properties dialog box.

    Default: No auditing.

    Then set auditing for your drives in the Drives Properties - Security - Advanced - Auditing

    You have to turn it on then set what is to be audited.

    This is what a audit for a printer looks like

    Object Open:
    Object Server: Spooler
    Object Type: Document
    Object Name: http://smh.com.au/news/opinion/webdiary/index.html?from=lhsnav
    Handle ID: 9487952
    Operation ID: {-,-}
    Process ID: 1020
    Image File Name: C:\WINDOWS\system32\spoolsv.exe
    Primary User Name: SERENITY$
    Primary Domain: WORKGROUP
    Primary Logon ID: (0x0,0x3E7)
    Client User Name: David Candy
    Client Domain: SERENITY
    Client Logon ID: (0x0,0xE179)
    Accesses: READ_CONTROL
    %%6949
    Privileges: -
    Restricted Sid Count: 0
    For more information, see Help and Support Center at

    Big companies have programs that look through these logs. You can use a spread***. 

    -- 
----------------------------------------------------------
http://www.uscricket.com
"WSF" <someone@microsoft.com> wrote in message news:a3Dld.1495$9A.66347@news.xtra.co.nz...
> OK, now I understand some of the rationale behind the Administration 
> Regime and the need to have SOMEONE in the organisation that can unwind 
> a situation created by a user - albeit audited. One could argue that few 
> in most businesses would be aware, understand and make use of that.
> 
> I am intrigued by your remark about auditing.
> Is there a way that I, as a user with Admin rights, can tell if someone 
> else has been trying (or has) accessed my local files/directories?
> Thanks for the input David. I appreciate it.
> 
> Regards, Bill Fraser
> 
> 
> 
> 
> David Candy wrote:
>> Administrator's can deal themselves out. While they can always override security they leave an audit trail. 
> Administrators are all powerful but are still accountable.
>> 
>> To override security they must take ownership, this indicates to the previous owner that the admin has been at their files. 
> 
> You can't give ownership only take it. So they can't give ownership back 
> without logging in as you.
> 
> But they need to reset your password to log in as you so you can't login 
> next time you try that tells you someone changed your password.
>> 
>> Plus XP support full auditing anyway (User1 accessed file x at 12:10pm) but is turned off by default.
>>
  • Next message: CWatters: "Re: This is ridiculous"