Re: Change to folder permissions - What event is logged?
- From: v-robeli@xxxxxxxxxxxxxxxxxxxx (Robert Li [MSFT])
- Date: Wed, 05 Dec 2007 04:56:10 GMT
Hi,
Thanks for your reply.
Please ensure you have run the "gpupdate /force" or restarted the server so
that the policy takes effect on SBS. Based on my test, if you change the
auditing settings, you can get events 560, 567, 562 in the Security log as
below:
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 12/4/2007
Time: 8:43:24 PM
User: SBS\administrator
Computer: SBSSVR
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: C:\Shares
Handle ID: 1656
Operation ID: {0,961718}
Process ID: 5528
Image File Name: C:\WINDOWS\explorer.exe
Primary User Name: administrator
Primary Domain: SBS
Primary Logon ID: (0x0,0xB03E4)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: READ_CONTROL
WRITE_DAC
ReadAttributes
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x60080
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 567
Date: 12/4/2007
Time: 8:43:24 PM
User: SBS\administrator
Computer: SBSSVR
Description:
Object Access Attempt:
Object Server: Security
Handle ID: 1640
Object Type: File
Process ID: 5528
Image File Name: C:\WINDOWS\explorer.exe
Accesses: WRITE_DAC
Access Mask: 0x40000
If the problem persists, please help me collect the following information
and I need to do deep research:
1. Security log
1) Click Start -> Run, type EVENTVWR.MSC and click OK.
2) Right click the Security Event, select Save Log File as, save it to .evt
file.
3) Email me the file.
2. Run gpresult /v >c:\gpresult.txt on SBS server. Sent the gpresult.txt to
v-robeli@xxxxxxxxxxxxx with subject: Change to folder permissions - What
event is logged.
I am looking forward to hear from you.
If you need further assistance, please don't hesitate to let me know.
Best regards,
Robert Li(MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
<From: J <japhyrider2005@xxxxxxxxx>
<Newsgroups: microsoft.public.windows.server.sbs
<Subject: Re: Change to folder permissions - What event is logged?
<Date: Sun, 2 Dec 2007 15:32:51 -0800 (PST)
<Organization: http://groups.google.com
<Lines: 127
<Message-ID:
<dc04790d-2339-447f-91b5-613e93927942@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
<References:
<a4b719ca-49e0-491c-880b-fc155426f395@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
< <#XooWnlMIHA.4380@xxxxxxxxxxxxxxxxxxxxxx>
<NNTP-Posting-Host: 24.152.182.181
<Mime-Version: 1.0
<Content-Type: text/plain; charset=ISO-8859-1
<Content-Transfer-Encoding: 7bit
<X-Trace: posting.google.com 1196638371 14417 127.0.0.1 (2 Dec 2007
23:32:51 GMT)
<X-Complaints-To: groups-abuse@xxxxxxxxxx
<NNTP-Posting-Date: Sun, 2 Dec 2007 23:32:51 +0000 (UTC)
<Complaints-To: groups-abuse@xxxxxxxxxx
<Injection-Info: d21g2000prf.googlegroups.com; posting-host=24.152.182.181;
< posting-account=97LrmAoAAAD7wq1QjIavcFNYTQUkuj2C
<User-Agent: G2/1.0
<X-HTTP-UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET
CLR
< 2.0.50727; .NET CLR 1.1.4322; IEMB3),gzip(gfe),gzip(gfe)
<Content-Disposition: inline
<Path:
TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS02.phx.gbl!newsfeed.
cw.net!cw.net!news-FFM2.ecrc.de!news.glorb.com!postnews.google.com!d21g2000p
rf.googlegroups.com!not-for-mail
<Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:79553
<X-Tomcat-NG: microsoft.public.windows.server.sbs
<
<On Nov 28, 11:31 pm, v-rob...@xxxxxxxxxxxxxxxxxxxx (Robert Li [MSFT])
<wrote:
<> Hi,
<>
<> Thanks for posting in our newsgroup.
<>
<> Based on my research, after you enabled Change Permission auditing, if
<> anyone changes the permission to this folder, Events 560 and 562 will be
<> shown in the Event Viewer (Security Logs).
<>
<> To see these events, first you need to take the following steps to
<> configure auditing:
<>
<> 1. Click Start, click Run, type "gpmc.msc" and click OK.
<> 2. Expand Domains -> your domain -> Domain Controllers.
<> 3. Right-click Small Business Server Auditing Policy and click Edit.
<> 4. Expand Computer Configuration -> Windows Settings -> Security Settings
<> -> Local Policies -> Audit Policy.
<> 5. In the right pane, double-click "Audit object access".
<> 6. To audit successful access of specified files, folders, select the
<> Success check box.
<> 7. To enable auditing of both, select both check boxes.
<> 9. Click OK.
<> 10. Run "gpupdate /force" or restart the computer so that the policy
takes
<> effect on SBS.
<>
<> After you enable auditing, you need to specify the files, folders that
you
<> want audited. To do so:
<>
<> 1. In Windows Explorer, locate the file or folder you want to audit.
<> 2. Right-click the file, folder that you want to audit, and then click
<> Properties.
<> 3. Click the Security tab, and then click Advanced.
<> 4. Click the Auditing tab, and then click Add.
<> 5. In the "Enter the object name to select" box, type the name of the
user
<> or group whose access you want to audit.
<> 6. Click OK.
<> 7. Select the Successful or Failed check boxes for Change Permission
action
<> you want to audit, and then click OK.
<> 8. Click OK, and then click OK.
<>
<> More information:
<>
<> 174073 Auditing User
Authenticationhttp://support.microsoft.com/?id=174073
<>
<> Hope this helps.
<>
<> If you need further assistance, please don't hesitate to let me know.
<>
<> Best regards,
<>
<> Robert Li(MSFT)
<>
<> Microsoft CSS Online Newsgroup Support
<>
<> Get Secure! -www.microsoft.com/security
<>
<> =====================================================
<>
<> This newsgroup only focuses on SBS technical issues. If you have issues
<> regarding other Microsoft products, you'd better post in the
corresponding
<> newsgroups so that they can be resolved in an efficient and timely
manner.
<> You can locate the newsgroup
here:http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
<>
<> When opening a new thread via the web interface, we recommend you check
the
<> "Notify me of replies" box to receive e-mail notifications when there are
<> any updates in your thread. When responding to posts via your newsreader,
<> please "Reply to Group" so that others may learn and benefit from your
<> issue.
<>
<> Microsoft engineers can only focus on one issue per thread. Although we
<> provide other information for your reference, we recommend you post
<> different incidents in different threads to keep the thread clean. In
doing
<> so, it will ensure your issues are resolved in a timely manner.
<>
<> For urgent issues, you may want to contact Microsoft CSS directly. Please
<> checkhttp://support.microsoft.comfor regional support phone numbers.
<>
<> Any input or comments in this thread are highly appreciated.
<>
<> =====================================================
<>
<> This posting is provided "AS IS" with no warranties, and confers no
rights.
<>
<> --------------------
<> <From: J <japhyrider2...@xxxxxxxxx>
<> <Newsgroups: microsoft.public.windows.server.sbs
<> <Subject: Change to folder permissions - What event is logged?
<> <Date: Tue, 27 Nov 2007 15:12:31 -0800 (PST)
<> <Organization:http://groups.google.com
<> <Lines: 4
<> <Message-ID:
<> <a4b719ca-49e0-491c-880b-fc155426f...@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
<> <NNTP-Posting-Host: 24.152.182.181
<> <Mime-Version: 1.0
<> <Content-Type: text/plain; charset=ISO-8859-1
<> <Content-Transfer-Encoding: 7bit
<> <X-Trace: posting.google.com 1196205151 6903 127.0.0.1 (27 Nov 2007
<> 23:12:31 GMT)
<> <X-Complaints-To: groups-ab...@xxxxxxxxxx
<> <NNTP-Posting-Date: Tue, 27 Nov 2007 23:12:31 +0000 (UTC)
<> <Complaints-To: groups-ab...@xxxxxxxxxx
<> <Injection-Info: a35g2000prf.googlegroups.com;
posting-host=24.152.182.181;
<> < posting-account=97LrmAoAAAD7wq1QjIavcFNYTQUkuj2C
<> <User-Agent: G2/1.0
<> <X-HTTP-UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
NET
<> CLR
<> < 2.0.50727; .NET CLR 1.1.4322; IEMB3),gzip(gfe),gzip(gfe)
<> <Content-Disposition: inline
<> <Path:
<>
TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS01.phx.gbl!TK2MSFTF-
E
<>
EDS02.phx.gbl!newsfeed.cw.net!cw.net!news-FFM2.ecrc.de!news.mediascape.de!n-
e
<>
ws.ainex.net!club-internet.fr!feedme-small.clubint.net!feeder1-1.proxad.net-
!
<>
proxad.net!feeder1-2.proxad.net!64.233.178.134.MISMATCH!postnews.google.com-
!
<> a35g2000prf.googlegroups.com!not-for-mail
<> <Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:78405
<> <X-Tomcat-NG: microsoft.public.windows.server.sbs
<> <
<> <Hello,
<> <Someone changed permissions on a folder on my SBS 2003 server. What
<> <event ID should I look for? Thanks. I think I am auditing as I
<> <should to see this.
<> <
<
<Robert, thanks very much for the detailed response. I don't see these
<events so I'll double check my settings with help of your
<document....thanks again.
<
.
- References:
- Prev by Date: Re: Performance report for Member Servers
- Next by Date: Re: SQLVDI - Fixed
- Previous by thread: Re: Change to folder permissions - What event is logged?
- Next by thread: file access to sbs 2003 within outlook and out -insufficient resou
- Index(es):
Relevant Pages
|
