2

I was trying to audit file access in a Windows 2008 R2 server, and (my fault) enabled it for the entire volume (say, disk e:). Of course I was getting lots of entries in the security log, a big amount to handle -and even bigger when trying to understand how this works. Anyway, I deleted the SACL for the volume (Properties, Security, Advanced, Audit), but all file access kept being audited. If I disable object access auditing in the local policies the system stops logging, but when I create a test folder, set its SACL and enable auditing, the entire disk object acccess starts to being audited again, even when its own SACL is empty. I also set and deleted SACL in the first folder level, just in case it was an inheritance issue, but got no results. Can you guys help me with this? I am not using advanced auditing, by the way. T.I.A.

Jorge

user190488
  • 21
  • 1
  • Just in case, I created a "fake" domain user and set the volume SACL to audit this specific user, expecting that this setting will overwrite the previous one (even though it was not visible). Well, this did not work. System keeps login object access from every user account. Thanks again, Jorge – user190488 Sep 19 '13 at 14:55
  • I changed to advanced auditing, but the systems still logs object access from the whole drive.. – user190488 Sep 20 '13 at 12:43

1 Answers1

0

Have you tried checking "Replace all existing inheritable auditing entries on all descendants with inheritable auditing entries from this object" ?

Becks TibiaFun
  • 148
  • 9
  • Hi, thanks for your answer! Sure, I checked it. As far as windows graphic interfase shows, there is no objet auditing enabled in any folder. – user190488 Sep 18 '13 at 15:17