Re: Making Object Access Auditing Work
- From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxx>
- Date: Fri, 4 Nov 2005 17:08:47 -0600
It shows auditing of object access it is disabled in Local Security Policy.
Double check that it indeed is enabled in Domain Controller Security Policy
or any other GPOs that may be linked to the domain controller container. By
default there is only the default domain controller GPO of which Domain
Controller Security Policy is a subset of. Then run the command secedit
/refreshpolicy machine_policy enforce on the domain controller. If that
still does not work restart the domain controller and see if that works. If
that does not work then there is some other problem with Group Policy
processing and I would suggest that you run the support tools netdiag,
dcdiag, and gpotool on that domain controller looking to see if there are
any problems that need to be resolved and look in the application and system
logs to see if there are any pertinent errors or warnings recorded. ---
Steve
"Ken" <Ken@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:72463D7C-5484-4D2A-9D4E-7C4E9628C689@xxxxxxxxxxxxxxxx
> The results from secpol.msc
>
> Audit Account management Local - Not Defined Effective - Success,
> Failure
> (Working and Showing Up in Event Viewer)
>
>
> Audit Object Access Local - No Auditing Effective - No
> Auditing
>
>
> Audit object access does not seem to be working at all. What would you
> suggest next ?
>
>
>
>
>
> "Steven L Umbach" wrote:
>
>> Verify in Local Security Policy [secpol.msc] that it does show that
>> auditing
>> of object access is enabled for success and failure. For Windows 2000
>> look
>> at the effective setting. Are any object access events being recorded at
>> all?? --- Steve
>>
>>
>>
>> "Ken" <Ken@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:430A856C-7781-4157-B875-D7AB8EB3479D@xxxxxxxxxxxxxxxx
>> > The server that I want to audit is a Domain Controller. It also serves
>> > as
>> > a
>> > file/print server. The files and folders that I want to audit are on a
>> > share
>> > which resides on the SAN. The log file is set to overwrite events.
>> >
>> > Anymore ideas ?
>> >
>> > "Steven L Umbach" wrote:
>> >
>> >> If you enable it in Domain Controller Security Policy, file auditing
>> >> will
>> >> work only on domain controllers. Also check to see if the security log
>> >> is
>> >> full. You may want to clear it and be sure to increase the size of it
>> >> substantially. --- Steve
>> >>
>> >>
>> >> "Ken" <Ken@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> >> news:8B443B1C-4C57-4359-97FD-CD76817308EF@xxxxxxxxxxxxxxxx
>> >> >I have enabled "Audit Object Access" in the default domain
>> >> >controllers
>> >> > policy, its been enabled for a few days now. However, when I set a
>> >> > file
>> >> > up
>> >> > for auditng for success or failure of multiple attributes such as
>> >> > delete
>> >> > etc,
>> >> > the changes never show up in the Event Viewer Security log, so I
>> >> > suppose
>> >> > its
>> >> > not working or I have something configured incorrectly. Note that
>> >> > "Audit
>> >> > Account Management" is also enable in this policy and is writing to
>> >> > the
>> >> > security log with no issues.
>> >> >
>> >> > Any help would be greatly apprecitated.
>> >> >
>> >> >
>> >> > Thanks
>> >>
>> >>
>> >>
>>
>>
>>
.
- Follow-Ups:
- Re: Making Object Access Auditing Work
- From: Ken
- Re: Making Object Access Auditing Work
- References:
- Re: Making Object Access Auditing Work
- From: Steven L Umbach
- Re: Making Object Access Auditing Work
- From: Steven L Umbach
- Re: Making Object Access Auditing Work
- Prev by Date: Re: Making Object Access Auditing Work
- Next by Date: Tracking user session duration
- Previous by thread: Re: Making Object Access Auditing Work
- Next by thread: Re: Making Object Access Auditing Work
- Index(es):
Relevant Pages
|
