1

I am trying to more closely audit my users access of files located on a file share. The files share is served by a server running windows server 2008 R2 and running the Windows Search Service. I am having a problem with too many Event 4663's ("An attempt was made to access an object").

The problem occurs because when a user browses to a folder using windows explorer and then executes a search on the file share, the system generates an event 4663 for each result returned.

This may generate thousands of events within a minute. Is there any way for me to change the way the search hits are logged? Perhaps the search service could have its own user? Or can i disable the ability to full-text search?

SLY
  • 1,286
  • 1
  • 13
  • 28
  • How about getting rid of the search service altogether? – joeqwerty Apr 29 '11 at 19:12
  • I think disabling the service would not prevent clients from executing a search on the file share. I might need a change to the Group Policy. But I am considering using Search Server Express in lieu of the search service. – SLY Apr 29 '11 at 20:07

1 Answers1

1

It's a group policy setting. Now when a user searches, the results are not logged as a file accessed.

Turn off the display of snippets in Content view

Location: User Configuration – Administrative Templates – Windows Components – Windows Explorer

This policy lets you disable the display of file content snippets when Content view is turned on. Content view is the default view returned when a search is executed and shows snippets of content of returned files.

Default configuration: Snippets are displayed in Content view

Purpose: This policy should be enabled if you want to disable showing snippets of file contents by default when a search is returned. This helps users avoid displaying sensitive data accidentally through Windows Explorer searches while in a non-secure environment.

http://technet.microsoft.com/en-us/library/dd744697(WS.10).aspx#WS_TurnOffDisplayofSnippets

Community
  • 1
SLY
  • 1,286
  • 1
  • 13
  • 28