PDA

View Full Version : Folder monitoring, GPO



gum digger
02-08-2011, 12:29 AM
Hi
Have a folder containing few files shared on server 2008/NTFS partition, which is also a domain controller. In Group Policy management i have created an Organization unit under the domain and under the OU i have defined a GPO on which i have config auditing for object i.e the folder i wish to monitor.

Go to ‘Start’ -> ‘Run’ -> ‘mmc’.
Click on ‘File’ -> ‘Add/Remove Snap-in…’
Click on the ‘Add’ button, select ‘Group Policy Object Editor’ from the list and click on ‘Add’.
Choose the group policy you want to configure auditing for, the click on ‘Finish’.
Click on ‘Close’.
In the Group Policy Object Editor, expand ‘Computer Configuration’.
Expand ‘Windows Settings’ -> ‘Security Settings’ -> ‘Local Policies’.
Click on ‘Audit Policy’ and open the ‘Audit object access’ properties.
Enable the ‘Success’ and ‘Failure’ check boxes depending on the kind of auditing you want to have.


then i have added users/groups i wish to audit in the audting tab under folder proterties/security

However this isnt working, i cannot see a single eveent logged if i go to event viewer - windows logs - security. I try to find it by folder name/users but nothing. to create event entries i deliberately logged in using the defined usernames and viewed the files.

Can someone help please?

Barnabas
02-08-2011, 10:15 AM
once you have turned it on dont you actually have to go into the properties of the folder under advanced and turn auditing on there as well or something like that. Havent done this for ages but vaguely remember doing something like that.

Ignore that...just read your post properly


The only other thing I can think of is that the policy is getting overwritten.
Try this from Microsoft

To ensure that Advanced Audit Policy Configuration settings are not overwritten
On CONTOSO-SRV, click Start, point to Administrative Tools, and then click Group Policy Management.

In the console tree, double-click Forest: contoso.com, double-click Domains, and then double-click contoso.com.

Right-click Default Domain Policy, and then click Edit.

Double-click Computer Configuration, double-click Policies, and then double-click Windows Settings.

Double-click Security Settings, and then click Security Options.

Double-click Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings, and then click Define this policy setting.

Click Enabled, and then click OK.

mikebartnz
02-08-2011, 10:54 AM
To ensure that Advanced Audit Policy Configuration settings are not overwritten
On CONTOSO-SRV, click Start, point to Administrative Tools, and then click Group Policy Management.

In the console tree, double-click Forest: contoso.com, double-click Domains, and then double-click contoso.com.

Right-click Default Domain Policy, and then click Edit.

Double-click Computer Configuration, double-click Policies, and then double-click Windows Settings.

Double-click Security Settings, and then click Security Options.

Double-click Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings, and then click Define this policy setting.

Click Enabled, and then click OK.
With all that clicking I can't help but laugh when people say the command line is bad news.:rolleyes:

SolMiester
02-08-2011, 03:04 PM
You have to link and enable the new GPO to an object, usually an OU, however you can link to a SG...
Move your objects into the new OU......!

fred_fish
02-08-2011, 08:29 PM
With all that clicking I can't help but laugh when people say the command line is bad news.:rolleyes:

+1
:lol

:pf1mobmini: