RE: Audit to track moving of folders
- From: v-chayan@xxxxxxxxxxxxxxxxxxxx ("Charles Yang [MSFT]")
- Date: Thu, 08 Dec 2005 03:36:23 GMT
HI Gerry,
Welcome to SBS newsgroup.
Issue description:
=============
I understand that you want to know how to audit the moving action on the
SBS server.
Analyzing and suggestion"
==============
Based on my research, I would like to provide the following suggestions:
1. Enable auditing on necessary events.
Generally speaking, a "move" operation can be considered the combination of
a "write" and a "delete" operation.
Therefore, to optimize the auditing performance, please can only enable
"Success" Audit object access, and only monitor the following activities on
the files/subfolders contained in the share:
"Delete"
"Create Files / Write Data"
"Create Folders / Append Data"
2. Efficiently check event log:
This is a bit complicated because there is a large number of data access on
the folder and generally one operation could cause multiple audits.
We can try enabling filters on event log. To do so:
1. Right-click the Security event log and choose Properties.
2. Select the Filter tab.
3. Select the Success check box.
4. Input "560" (without quotations) in the "Event ID" edit box.
5. Click OK.
6. Then only the related event will be displayed.
Please note that the auditing events logged at the same time can generally
be considered a single operation. Please note that if you want to monitor
the issue on the Windows 2003 standard server, you can check the auditing
event on the Windows 2003 server for the event 560.
If you want some more convenient tools, it seem you might have to search
the internet to see if you can find some third party tools that can satisfy
your goal. We have no such tools other than auditing function on the event
view.
I really appreciate your effort on this issue; please feel free to post
back. I am glad to be of assistance.
Best regards,
Charles Yang (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: "Gerry Armstrong" <gerrya@xxxxxxxxxxx>
| Newsgroups: microsoft.public.windows.server.sbs
| Subject: Audit to track moving of folders
| Date: Wed, 7 Dec 2005 08:45:32 -0400
| Organization: Posted via Supernews, http://www.supernews.com
| Message-ID: <11pdmb1m7i9do3c@xxxxxxxxxxxxxxxxxx>
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2527
| X-RFC2646: Format=Flowed; Original
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
| X-Complaints-To: abuse@xxxxxxxxxxxxx
| Lines: 12
| Path:
TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onli
ne.de!border2.nntp.dca.giganews.com!nntp.giganews.com!sn-xit-15!sn-xit-09!sn
-xit-08!sn-post-01!supernews.com!corp.supernews.com!not-for-mail
| Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.windows.server.sbs:228382
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| I have a problem with folders in a shared directory on a SBS2003 server
| being moved by one of the users and I need to know who is responsible for
| moving these folders. I understand that I can use Auditing to track
various
| types of information which will relate to this problem but I need some
help
| in configuring this.
| What I would like to do is to be able to see who moved a folder from one
| location to another within a share on the SBS2003 server as well as on a
| Standard Windows 2003 server which is also a part of the domain (and
| configured as a domain controller as well). Can you guys tell me what is
the
| best way of doing this?
|
|
|
.
- Follow-Ups:
- Re: Audit to track moving of folders
- From: Gerry Armstrong
- Re: Audit to track moving of folders
- References:
- Audit to track moving of folders
- From: Gerry Armstrong
- Audit to track moving of folders
- Prev by Date: Utility to switch domains?
- Next by Date: Re: Utility to switch domains?
- Previous by thread: Audit to track moving of folders
- Next by thread: Re: Audit to track moving of folders
- Index(es):
Relevant Pages
|
