-1

What am I missing here? I'm trying to enable file auditing so I can see who deleted a file via security logs in event viewer. I created the below group policy Computer Configuration > Windows Settings > Local Policies/Audit Policy > Audit Object Access. Enabled for success and failure. The enabled checkbox is checked for the policy. In the delegation tab the computer account I'm trying to set this up for has read and apply policy selected. as well as authenticated users.

On the folder itself I've enabled auditing for "Everyone" for "Delete subfolders and files" as well as "Delete" Success and failure are setup for these. gpresult shows the policy is applied not sure if it matters but gpedit shows the policy is not applied.

Where else should this be set?

selachka
  • 1
  • 1
  • 4
  • What is the value of registry setting: `Key: HKLM\System\CurrentControlSet\Control\Lsa\ Value:SCENoApplyLegacyAuditPolicy` – Greg Askew Jan 03 '17 at 21:28
  • Key: HKLM\System\CurrentControlSet\Control\Lsa\ Value:SCENoApplyLegacyAuditPolicy is set to 1 – selachka Jan 03 '17 at 21:31
  • That means legacy audit policies are not applied. – Greg Askew Jan 03 '17 at 21:33
  • Every time I run gpupdate that registry value changes back to 1. I checked GPO's that were inherited and cannot find the conflict. – selachka Jan 03 '17 at 21:50
  • Run gpresult /h gpresult.html. The policy is Windows Settings > Security Settings > Local Policies > Security Options: Audit: Force audit policy subcategory settings – Greg Askew Jan 03 '17 at 22:00
  • Found it. Thanks Greg!! I went ahead and enabled "Audit File System" under Advanced Audit Configuration and this appears to work. I'm assuming the "Advanced Audit Configuration" replaced the legacy audit policy? – selachka Jan 03 '17 at 22:11
  • Right. Advanced policies are usually the way to go, unless there is a need to continue using legacy policies. – Greg Askew Jan 04 '17 at 01:02

2 Answers2

0

When legacy audit policies are used, the group policy setting

"Windows Settings > Security Settings > Local Policies > Security Options: Audit: Force audit policy subcategory settings"

must be disabled. The default, if not configured, is enabled.

Also a good idea not to mix legacy and advanced audit policy settings.

Greg Askew
  • 35,880
  • 5
  • 54
  • 82
0

First you will need to turn on auditing, from either local policies, or domain policies and apply it to the machine you want to audit. Once the policy is set you need to configure auditing on everything you want to audit, and that will start adding events to the event log.

GPEDIT:

Computer Configuration --> Windows Settings --> Security Settings --> Local Policies --> Audit Policy --> Audit object Access

You can turn on success, because if they don't have access to delete things then it would create a failure, so you dont want to monitor those events.

Once that is in place, go to the folder you want to monitor, right click and go to properties

Click the security tab --> Advanced --> Auditing Tab --> Edit --> Add --> then add the group that has access to that folder --> Select the events you want to audit and click OK --> Select Replace all existing inheritable audit entries, to appply the audit on all sub folders and files and click OK

You are now auditing that folder. You will need to monitor the event logs for the particular events. Also get help from below links:

Track file deletions and permission changes on Windows file server: https://community.spiceworks.com/how_to/123983-track-file-deletions-and-permission-changes-on-windows-file-server

How to enable file and folder access auditing on Windows Server 2008 and 2008 R2: https://community.spiceworks.com/how_to/122828-how-to-enable-file-and-folder-access-auditing-on-windows-server-2008-and-2008-r2

Hope this helps!

Steve
  • 1