To audit user access to Active Directory objects, configure the Audit Directory Service Access event category in the audit policy setting. Select Define These Policy Settings , and then select one or both of the following check boxes:.
Right-click any other event category that you want to audit, and then select Properties. The changes that you make to your computer's audit policy setting take effect only when the policy setting is propagated or applied to your computer. Complete either of the following steps to initiate policy propagation:. If you are either a domain or an enterprise administrator, you can enable security auditing for workstations, member servers, and domain controllers remotely.
After you configure an audit policy setting, you can configure auditing for specific objects, such as users, computers, organizational units, or groups, by specifying both the types of access and the users whose access that you want to audit.
To configure auditing for specific Active Directory objects:. Right-click the Active Directory object that you want to audit, and then select Properties. Select either the Successful or the Failed check box for the actions that you want to audit, and then select OK. The size of the Security log is limited.
Step 2 : Click on the OK button to launch the local group policy editor:. You should see all available policies in the right pane:. Next, you will need to apply audit policy on file or folder that you want to track.
Follow the below steps to apply the audit policy:. Step 3 : On the Security tab click on the Advanced. You should see the following screen:. Step 4 : On the Auditing tab click on the Continue.
Step 5 : Now, you will need to add a new audit policy. One user generates entries for on file opened? What about my production environment with 50 users and thousands of files? Quote from Ron Schnieder in Jaws, "We are going to need a bigger boat! That is normal, unfortuante but normal. When a machine opens a file there may be several hooks into the file to handle different things.
Each one of these is recorded in the audit log. Also opening a file also generates hits for opening a folder depending on how you setup auditing. In fact when I worked at MS it was not recommend to turn file access auditing on unless you looking at a specific file or folder for a specific reason. Yes, that is normal. If you wish to enable object access auditing, then you will generate literally thousands of , , , and events.
The next time Group Policy refreshes on devices in scope of the GPO, the auditing setting you configured in the policy above will be applied. In Windows Server , event ID can indicate different types of events, including ownership of file taken, generic file read, and ACL on files modified. Go Up. Netwrix Blog. Type msc in the Run dialog, and click OK. Close the Group Policy Management Console.
0コメント