I'm trying to simply enable file auditing on a windows share (2012 R2)on top of cluster shared volume. But it doesn't behave as I expected it to behave. Here's the story:
- I enabled file auditing policy and confirmed that it was applied by RSOP.msc
- Enabled auditing on a file level for a text file on my desktop (with full permission audits/on failure only)
- denied my user read permissions to the file to see if the audit works fine as expected.
- audit did take place and logged the error on event viewer.
Now that I got it working, I applied to same settings to a CSV share and waited to catch the events, nothing came up even a user was denied access to overwrite a file.
Why do you think the failure did not create a log? Is there anything else I needed to do? Is it possible that CSV shares behave differently then local drives? (I doubt that, but it may be a possibility)
