Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

File Auditing - Guide Needed

Status
Not open for further replies.
QuarkIT

QuarkIT

IS-IT--Management
Jan 11, 2005
34
US
Hey guys, I haven't seen much on here about File Auditing...I saw a few about people snooping around ETC.

I am not familiar with 2k3 as much as I'd like to be, but here is my current predicament.

We run a file-share server on Server 2k3.
We are a domain network. We login at our PCs, and depending on the user and what group they're assigned to, have access to different parts of the file share server.

Recently, in an attempt to reduce the amount of hDD space used, we had our PM's make a back-up of all their projects, place it in a folder named "backup(projectname)" located in the same DIR as their project.

We simply burned those to DVD, and removed the backups after we were done, nothing big. A few days later several people came to us (IT) with reports of files missing, entire directories being deleted, etc...which wasn't too significant, as I do daily backups.

After going through the logs, I realized that we had Auditing enabled, but not File Auditing. So I have no real way of knowing who is responsible for deleting them.

After realizing this, I created a testing file, gave myself permissions, and enabled full file auditing on the individual user. I went to the file on my PC, deleted a file, and added a file...and went to check the Audit logs to see if it showed up.

To my dismay, it doesn't show any log of me adding/removing any files, and I timed myself exactly, as my log is about 500 pages long, I went to the time frame, and nothing.

This folder is shared, only to three people, myself, my boss, and the admin account of the server. I setup the file auditing on my account only for testing purposes.

Appreciate the help
 
Sort by date Sort by votes
on the NTFS tab of the file/folder you need to specify that you want to audit.... and what it is that you want to audit.

eg. you add the 'Everyone' group... if you want to see who deletes stuff, you tick success box on Delete & Delete subfolder and files.

and in the security node of local machine policy or GPO you have to activate auditing too.
\Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy:
you have alot to choose from.
you can concentrate on logon events and object access.
logon events: access network shares...
object access: user gains access to a file, folder or printer.

be careful not enabling too much auditing, cos you'll never find useful info otherwise...

audit resource access by the everyone group rather than the users group, this way you cacth everyone.

basically two steps.
Activate Audit Object Access: success and/or failure
on the shared folder, enable Delete & Delete subfolder and files.


Aftertaf (david)
MCSA 2003
 
Upvote 0 Downvote
That's how we have it setup currently.

Here's how the directory is setup. There is a folder named "Testing Dir" which is shared. There are 3 people that have access to the folder.

Those 3 users are myself, my boss, and the server admin account. We enabled all auditing on my account.

Then to test the log to make sure it was logging the actions, I moved a file to the folder, and then deleted another.

After going back to the log, no evidence of my actions... :(
 
Upvote 0 Downvote
you checking the security log ?
(silly question, but hey :) )

Aftertaf (david)
MCSA 2003
 
Upvote 0 Downvote
Yeah...was looking through the security log, and here's my predicament.

We just ran another test, because we thought it might have been a CAL issue with this PC (at one point it had 2 CALS)

We enabled Auditing on my boss's account on the file, full auditing.

At 8:50 AM today we copied two files ot the folder, deleted 1.

I checked from 8:49 to 8:53 in the security log, a lot of login/logoffs, but no log of his user account logging in, going to the folder, and doing anything.

I also noticed that most of the PC's are showing up as login/log-offs. I had him change his network ID to reauthenticate it, then tried it again, and still no log of userA accessing this particular file.

I'm getting frustrated, as everything appears to be setup properly, but I cannot find the log of any access to this folder at all.
 
Upvote 0 Downvote
strange...
google for audit problems dude ;)
good luck

Aftertaf (david)
MCSA 2003
 
Upvote 0 Downvote
Blah...we resolved it.

Here's what was wrong. Under Domain Controllers, right click and hit properties.

From there go to the Group Policy Tab, select the Default (should be the only one) and press "edit"

From there go to Computer Configuration, Windows Settings, Local Policies, Auditing.

There are several things listed there, but one we did not have enabled was "object access"

Once I enabled that, it displayed in the Security Log the user logging in, accessing files, making copies etc. I didn't have a blatent log file that stated the user deleted a file, but he was the only user in that file at the time, so put 2 and 2 together, we have the information we need.

Whew...
 
Upvote 0 Downvote
strange...
google for audit problems dude ;)
good luck

Aftertaf (david)
MCSA 2003
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

andyferris
  • Locked
  • Question
DC Event logs auditing cannot be set by GPO
Replies
1
Views
345
RRankin355
RRankin355
microsGuy16
  • Locked
  • Question
Can not copy files to Mapped drive
Replies
0
Views
745
microsGuy16
microsGuy16
JScannell
  • Locked
  • Question
File saving from browsers
Replies
1
Views
275
DrB0b
DrB0b
shmoes
  • Locked
  • Question
Delegating file admin permission
Replies
3
Views
298
SamBones
SamBones
Fabzionj
  • Locked
  • Question
Count record on Text files
Replies
0
Views
227
Fabzionj
Fabzionj

Part and Inventory Search

Sponsor

Back
Top